From owner-freebsd-ipfw@FreeBSD.ORG  Wed Aug  3 20:13:17 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 17CF310656E0
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Aug 2011 20:13:17 +0000 (UTC)
	(envelope-from zeus@relay.ibs.dn.ua)
Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 5393A8FC08
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Aug 2011 20:13:15 +0000 (UTC)
Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) 
	by relay.ibs.dn.ua with ESMTP id p73K1Dpk033368
	for <freebsd-ipfw@freebsd.org>; Wed, 3 Aug 2011 23:01:13 +0300 (EEST)
Received: (from zeus@localhost)
	by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p73K1DwT033367
	for freebsd-ipfw@freebsd.org; Wed, 3 Aug 2011 23:01:13 +0300 (EEST)
Date: Wed, 3 Aug 2011 23:01:13 +0300
From: Zeus V Panchenko <zeus@ibs.dn.ua>
To: freebsd-ipfw@freebsd.org
Message-ID: <20110803200113.GC6930@relay.ibs.dn.ua>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
X-Operating-System: FreeBSD 8.1-RELEASE
X-Editor: GNU Emacs 23.2.1
Subject: weird results while ipsec + ipfv_nat (nat before vpn)
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: zeus@ibs.dn.ua
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2011 20:13:17 -0000

Hi,

i faced weird for me situation, may somebody agree to help to win it,
please?

we need to see some http/s resources behind the Cisco PIX IPSEC

i'm trying to get working this schema:


SCHEMA (`nat before vpn' as i believe):
--------------

+-> a.a.0.1/16 LAN
|
+-> a.a.a.2/24 FreeBSD b.b.b.1 <-> c.c.c.1/24 IPSEC PEER PIX
             	  |		    	      |
             	  + x.x.x.x <-------> y.y.y.y +


CONFIGURATION:
--------------
> uname -a
FreeBSD 8.2-STABLE #3: Tue Aug  2 15:39:33 EEST 2011 i386


> cat /etc/rc.conf
...
gateway_enable="YES"
cloned_interfaces="gif0"
ifconfig_bge0="inet x.x.x.x/25"
ifconfig_bge1="inet a.a.a.2/24"
ifconfig_gif0="inet b.b.b.1 c.c.c.1 tunnel x.x.x.x y.y.y.y"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
ipfw_enable="YES"
ipfw_nat_enable="YES"
...

in kernel i have:
options         IPSEC
options         IPSEC_DEBUG
device          crypto

options         IPFIREWALL
options         IPFIREWALL_FORWARD
options         IPFIREWALL_NAT
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=200
options         IPDIVERT
options         LIBALIAS



> cat /usr/local/etc/racoon/setkey.conf
flush;
spdflush;

spdadd b.b.b.1  c.c.c.0/24 any -P out ipsec \
       esp/tunnel/x.x.x.x-y.y.y.y/require;

spdadd  c.c.c.0/24 b.b.b.1 any -P  in ipsec \
       esp/tunnel/y.y.y.y-x.x.x.x/require;



> cat /etc/ipfw.conf
...

add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y
add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x

add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24
nat 100 config log if bge1 ip b.b.b.1 reverse



WHAT I DO:
--------------
1)
trying to ping IPSEC PEER from LAN

user@a.a.a.20> ping c.c.c.1

c.c.c.1 reply packets are coming in and are decrypted but replies doesn't reach
ping initiator a.a.a.20

box a.a.a.20 reports ping statistics:
450 packets transmitted, 0 packets received, 100.0% packet loss


at FreeBSD box i see:
user@FreeBSD> tcpdump -n -i gif0 host c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
...
13:27:18.122542 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2903, length 64
13:27:19.123275 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2904, length 64
13:27:20.124517 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2905, length 64
13:27:21.125568 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2906, length 64

on WAN i see this
user@FreeBSD> tcpdump -n -i bge0 esp
...
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x8), length 132
00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x9), length 132
00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x9), length 132

so, ipsec and ipfw_nat out works, but where are reply packets disappearing to after coming to gif0 interface?
why no backward divert occures? 

2)
  trying to ping IPSEC PEER from FreeBSD box
  user@b.b.b.1> ping c.c.c.1
  everything works since no nat occures ...

  user@b.b.b.1> tcpdump -n -i gif0 host  c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
13:45:56.759567 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 213, length 64
13:45:57.760745 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 214, length 64
13:45:58.762787 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 215, length 64
13:45:59.765493 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 216, length 64
13:46:00.764619 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 217, length 64
13:46:01.765676 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 218, length 64

  user@b.b.b.1> tcpdump -n -ettt -s0 -i bge0 host y.y.y.y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan11, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x8), length 132
00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x9), length 132
00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x9), length 132



so, is it possible to get it working? 
if yes, where is my mistake, please?

-- 
Zeus V. Panchenko
JID:zeus@gnu.org.ua			      	        GMT+2 (EET)