Date: Tue, 18 Nov 2014 11:26:19 +0100 From: =?UTF-8?Q?G=C3=B6ran_L=C3=B6wkrantz?= <goran.lowkrantz@ismobile.com> To: VANHULLEBUS Yvan <vanhu@FreeBSD.org> Cc: freebsd-stable@freebsd.org Subject: Re: [MASSMAIL]Re: Problem with IPSec tunnel and normal routing Message-ID: <6F84B34B2AA9F9E37A9161FF@[172.16.2.28]> In-Reply-To: <20141118100739.GB18512@zeninc.net> References: <A32EF05605EDD3E5EF0F7608@[172.16.2.28]> <20141118100739.GB18512@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--On 18 Nov 2014 11:07:40 +0100 VANHULLEBUS Yvan <vanhu@FreeBSD.org> wrote:
> Hi.
>
>
> On Tue, Nov 18, 2014 at 10:52:50AM +0100, G?ran L?wkrantz wrote:
>> We have a problem with a NanoBSD GW/Router that seems to get it's
>> forwarding screwed up by an IPSec tunnel.
>>
>> +----+ +-------+
>> | | +----+ | | +-- A
>> 2 -+ | | | | | |
>> 3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B
>> 4 -+ | | | | endp | |
>> | | +----+ | | +-- C
>> +----+ +-------+
>>
>> Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches.
>> Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches
>> Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch
>>
>> DMZ - em5 - XXX.XXX.XXX.128/27 - DMZ and transfer net to outside.
>> IPSec endp - YYY.YYY.YYY.2
>>
>> Net A - 192.168.45.129/32
>> Net B - 192.168.45.130/32
>> Net C - 192.168.40.8/29
>>
>> Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C.
>>
>> GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE
>> # 0 r274192
>> IKEv1 etc. is handled by strongswan-5.2.0_1
>> Left IPSec endpoint is a Clavister VPN GW.
>>
>> After a host on Net 3 has connected through the tunnel to
>> 192.168.45.129 via a NATed VMWare Fusion connection, traffic from
>> that host is received correctly at the GW on Net 3 (em1) but the
>> response from the GW is sent out via the DMZ interface em5.
>> Switching the host to Net 4 i.e. disconnecting the network cable and
>> starting the WiFi restores connectivity.
>>
>> Other hosts on Net 3 that has not communicated via the IPSec tunnel
>> is NOT affected.
>>
>> All routing seems to be correct on the GW so some other mechanism
>> must be at play.
>>
>> Any help appreciated.
>
> Could you please send us at least a dump of your SPD and routing
> configuration ?
>
>
> Yvan.
> _______________________________________________
> netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 176.57.193.129 UGS em5
10.191.251.0/24 10.191.251.2 UGS tun0
10.191.251.1 link#12 UHS lo0
10.191.251.2 link#12 UH tun0
10.191.252.0/24 10.191.252.2 UGS tun1
10.191.252.1 link#13 UHS lo0
10.191.252.2 link#13 UH tun1
10.191.253.0/24 10.191.253.2 UGS tun2
10.191.253.1 link#14 UHS lo0
10.191.253.2 link#14 UH tun2
127.0.0.1 link#11 UH lo0
176.57.193.128/27 link#6 U em5
176.57.193.157 link#6 UHS lo0
176.57.193.157/32 link#6 U em5
176.57.193.158 link#6 UHS lo0
192.168.2.0/24 link#3 U em2
192.168.2.1 link#3 UHS lo0
192.168.3.0/24 link#2 U em1
192.168.3.1 link#2 UHS lo0
192.168.4.0/24 link#1 U em0
192.168.4.254 link#1 UHS lo0
192.168.5.0/24 link#4 U em3
192.168.5.254 link#4 UHS lo0
192.168.9.0/24 link#5 U em4
192.168.9.254 link#5 UHS lo0
192.168.40.8/29 176.57.193.129 US em5
192.168.45.129 176.57.193.129 UGHS em5
192.168.45.130 176.57.193.129 UGHS em5
Internet6:
Destination Gateway Flags
Netif Expire
::/96 ::1 UGRS
lo0
default 2a00:f680:101:1::1 UGS
em5
::1 link#11 UH
lo0
::ffff:0.0.0.0/96 ::1 UGRS
lo0
2a00:f680:101:1::/64 link#6 U
em5
2a00:f680:101:1::fffd link#6 UHS
lo0
2a00:f680:101:1::fffe link#6 UHS
lo0
fe80::/10 ::1 UGRS
lo0
fe80::%em5/64 link#6 U
em5
fe80::230:48ff:feb9:99c9%em5 link#6 UHS
lo0
fe80::%lo0/64 link#11 U
lo0
fe80::1%lo0 link#11 UHS
lo0
fe80::%tun0/64 link#12 U
tun0
fe80::21b:21ff:fe24:6248%tun0 link#12 UHS
lo0
fe80::%tun1/64 link#13 U
tun1
fe80::21b:21ff:fe24:6248%tun1 link#13 UHS
lo0
fe80::%tun2/64 link#14 U
tun2
fe80::21b:21ff:fe24:6248%tun2 link#14 UHS
lo0
ff01::%em5/32 fe80::230:48ff:feb9:99c9%em5 U
em5
ff01::%lo0/32 ::1 U
lo0
ff01::%tun0/32 fe80::21b:21ff:fe24:6248%tun0 U
tun0
ff01::%tun1/32 fe80::21b:21ff:fe24:6248%tun1 U
tun1
ff01::%tun2/32 fe80::21b:21ff:fe24:6248%tun2 U
tun2
ff02::/16 ::1 UGRS
lo0
ff02::%em5/32 fe80::230:48ff:feb9:99c9%em5 U
em5
ff02::%lo0/32 ::1 U
lo0
ff02::%tun0/32 fe80::21b:21ff:fe24:6248%tun0 U
tun0
ff02::%tun1/32 fe80::21b:21ff:fe24:6248%tun1 U
tun1
ff02::%tun2/32 fe80::21b:21ff:fe24:6248%tun2 U
tun2
root@gw01:/data/home/admglz # setkey -D
No SAD entries.
root@gw01:/data/home/admglz # setkey -DP
192.168.45.130[any] 192.168.2.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=84 seq=29 pid=51194
refcnt=1
192.168.40.8/29[any] 192.168.2.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=86 seq=28 pid=51194
refcnt=1
192.168.45.130[any] 192.168.3.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=88 seq=27 pid=51194
refcnt=1
192.168.40.8/29[any] 192.168.3.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=90 seq=26 pid=51194
refcnt=1
192.168.45.129[any] 10.191.251.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=92 seq=25 pid=51194
refcnt=1
192.168.45.130[any] 10.191.251.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=94 seq=24 pid=51194
refcnt=1
192.168.40.8/29[any] 10.191.251.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=96 seq=23 pid=51194
refcnt=1
192.168.45.129[any] 10.191.252.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=98 seq=22 pid=51194
refcnt=1
192.168.45.130[any] 10.191.252.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=100 seq=21 pid=51194
refcnt=1
192.168.40.8/29[any] 10.191.252.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=102 seq=20 pid=51194
refcnt=1
192.168.45.129[any] 10.191.253.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=104 seq=19 pid=51194
refcnt=1
192.168.45.130[any] 10.191.253.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=106 seq=18 pid=51194
refcnt=1
192.168.40.8/29[any] 10.191.253.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=108 seq=17 pid=51194
refcnt=1
192.168.45.129[any] 192.168.2.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 10:19:57 2014 lastused: Nov 18 10:19:57 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=112 seq=16 pid=51194
refcnt=1
192.168.45.129[any] 192.168.3.0/24[any] any
in ipsec
esp/tunnel/92.254.132.2-176.57.193.158/unique:1
created: Nov 18 11:09:30 2014 lastused: Nov 18 11:09:30 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=114 seq=15 pid=51194
refcnt=1
192.168.2.0/24[any] 192.168.45.130[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=83 seq=14 pid=51194
refcnt=1
192.168.2.0/24[any] 192.168.40.8/29[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=85 seq=13 pid=51194
refcnt=1
192.168.3.0/24[any] 192.168.45.130[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=87 seq=12 pid=51194
refcnt=1
192.168.3.0/24[any] 192.168.40.8/29[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=89 seq=11 pid=51194
refcnt=1
10.191.251.0/24[any] 192.168.45.129[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=91 seq=10 pid=51194
refcnt=1
10.191.251.0/24[any] 192.168.45.130[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=93 seq=9 pid=51194
refcnt=1
10.191.251.0/24[any] 192.168.40.8/29[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=95 seq=8 pid=51194
refcnt=1
10.191.252.0/24[any] 192.168.45.129[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=97 seq=7 pid=51194
refcnt=1
10.191.252.0/24[any] 192.168.45.130[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=99 seq=6 pid=51194
refcnt=1
10.191.252.0/24[any] 192.168.40.8/29[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=101 seq=5 pid=51194
refcnt=1
10.191.253.0/24[any] 192.168.45.129[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=103 seq=4 pid=51194
refcnt=1
10.191.253.0/24[any] 192.168.45.130[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=105 seq=3 pid=51194
refcnt=1
10.191.253.0/24[any] 192.168.40.8/29[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=107 seq=2 pid=51194
refcnt=1
192.168.2.0/24[any] 192.168.45.129[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 10:19:57 2014 lastused: Nov 18 10:19:57 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=111 seq=1 pid=51194
refcnt=1
192.168.3.0/24[any] 192.168.45.129[any] any
out ipsec
esp/tunnel/176.57.193.158-92.254.132.2/unique:1
created: Nov 18 11:09:30 2014 lastused: Nov 18 11:09:30 2014
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=113 seq=0 pid=51194
refcnt=1
root@gw01:/data/home/admglz # ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.0, FreeBSD 10.1-PRERELEASE,
amd64):
uptime: 3 days, since Nov 15 09:32:27 2014
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon curl aes des blowfish rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey
kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5
eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
Listening IP addresses:
192.168.4.254
192.168.3.1
192.168.2.1
192.168.5.254
192.168.9.254
176.57.193.158
2a00:f680:101:1::fffe
176.57.193.157
2a00:f680:101:1::fffd
10.191.251.1
10.191.252.1
10.191.253.1
Connections:
net-net: 176.57.193.158...92.254.132.2 IKEv1
net-net: local: [176.57.193.158] uses pre-shared key authentication
net-net: remote: [92.254.132.2] uses pre-shared key authentication
net-net: child: 192.168.2.0/24 192.168.3.0/24 10.191.251.0/24
10.191.252.0/24 10.191.253.0/24 === 192.168.45.129/32 192.168.45.130/32
192.168.40.8/29 TUNNEL
Routed Connections:
net-net{1}: ROUTED, TUNNEL
net-net{1}: 192.168.2.0/24 192.168.3.0/24 10.191.251.0/24
10.191.252.0/24 10.191.253.0/24 === 192.168.45.129/32 192.168.45.130/32
192.168.40.8/29
Security Associations (1 up, 0 connecting):
net-net[6]: ESTABLISHED 72 minutes ago,
176.57.193.158[176.57.193.158]...92.254.132.2[92.254.132.2]
net-net[6]: IKEv1 SPIs: c71206a4eb076dde_i 1587c4b0b11e1003_r*,
pre-shared key reauthentication in 6 hours
net-net[6]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
/glz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6F84B34B2AA9F9E37A9161FF>