Date: Fri, 4 Jan 2002 16:09:15 -0500 From: "Cambria, Mike" <mcambria@avaya.com> To: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Cc: "Cambria, Mike" <mcambria@avaya.com> Subject: TCP connection via IPsec machine also running natd Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7065399@rerun.lucentctc.com>
next in thread | raw e-mail | index | archive | help
I'm having problems connecting (e.g. telnet, ssh, ftp etc.) to a machine which is at the other end of an IPsec tunnel. Passing data with machines, via this tunnel, on subnets for which the tunnel endpoint is acting as a router work just fine. I'm using FreeBSD 4.4-Stable (cvsup'ed shortly after 4.4-Release) and have an IPsec tunnel from one subnet at home to a machine at a friends house. The subnet at home is behind ipfw/natd and uses a cable modem (i.e. one IP address) to access the Internet. I'm using ipfw "simple" with one addition to allow incoming TCP traffic from the friends machine (also FreeBSD 4.4). This _works_ fine for traffic to/from the subnet. Encrypted packets hit divert, get counted on the ipfw allow esp rule, are decrypted and are then routed to the destination machine and vice versa. Problems exist only with traffic from the remote (friends) machine that terminates at the ipfw/natd machine itself. The IKE (racoon) ISAKMP-SA is established just fine, an IPsec-SA is established for both directions and the remote machine sends the (e.g.) telnet traffic encrypted. The counters for ipfw show the packet hitting the divert rule and esp packet has been received. However, the connection never seems to make it to telnetd. Before setting up IPsec, this worked just fine. I tried again using the sock program (see Unix Network Programming, Vol. 1 2ed ) to have more control, rule out inted etc. with the same results. sock -s <ip address> <port> never returns form the listen call. As I said earlier, packets which route through ipfw/natd get unencrypted and make it to the remote subnet just fine. Looking at 'ipfw -a l' it seems that the ESP packets are being received _after_ being diverted to natd, but just not sent to the socket: [deleted] 01600 20 4384 divert 8668 ip from any to any via vx0 01700 0 0 deny ip from 10.0.0.0/8 to any via vx0 01800 0 0 deny ip from 172.16.0.0/12 to any via vx0 01900 0 0 deny ip from 192.168.0.0/16 to any via vx0 02000 0 0 deny ip from 0.0.0.0/8 to any via vx0 02100 0 0 deny ip from 169.254.0.0/16 to any via vx0 02200 0 0 deny ip from 192.0.2.0/24 to any via vx0 02300 0 0 deny ip from 224.0.0.0/4 to any via vx0 02400 0 0 deny ip from 240.0.0.0/4 to any via vx0 02500 19 4272 allow tcp from any to any established (an ssh session I have up to gather info on one PC) 02600 0 0 allow ip from any to any frag 02700 0 0 allow udp from any to any 500 02800 0 0 allow udp from any 500 to any 02900 1 112 allow esp from any to any (the encrypted packet) [deleted] 03500 0 0 allow tcp from <ip address> to 66.31.106.72 setup [rest deleted] Any thoughts on where to look next? I don't see any counters for "deny" rules going up, so I'm guessing that the unencrypted packet isn't getting dropped due to one of my ipfw rules. I also notice that the counter on my firewall rule which explicitly allows session setup from my friends machine is not incrementing. Any help appreciated. Thanks, MikeC Michael C. Cambria Avaya Inc. Consulting Engineer Former Enterprise Networks Group voice: (978) 287 - 2807 of Lucent Technologies fax: (978) 381 - 6415 300 Baker Avenue email: mcambria@avaya.com <mailto:mcambria@avaya.com> Concord, Massachusetts 01742 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6D367EA1EFD4118C9B00A0C9DD99D7065399>