From owner-freebsd-questions@FreeBSD.ORG Sun Jun 26 22:21:48 2011 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AEC5106564A for ; Sun, 26 Jun 2011 22:21:48 +0000 (UTC) (envelope-from nnutipa@gmail.com) Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by mx1.freebsd.org (Postfix) with ESMTP id AA6788FC15 for ; Sun, 26 Jun 2011 22:21:47 +0000 (UTC) Received: by fxe6 with SMTP id 6so1052477fxe.17 for ; Sun, 26 Jun 2011 15:21:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:content-type; bh=+ehxbAw/7/4c7uEd9JbSJywUklysLJWHeqvWcV+jWwg=; b=TUliq/o+chSSKNMk+Jwm2jQz6zERGsJOkg3YcSPDMHfviavYDNjlqeY7uNgfOOE55m H2uNQjy70hQJQVcqF1mnROUqA8QLokFo+X1B/+S3Cj7+lD9E5tCa942Ssy04NsFQGIgb 7nVEQbZn+ZQnk8xiQTtVPnth/Em6MVHpZoGZ0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; b=w+0YPFnfO1nNjxWLzna0UdZSbGvDMS+TQBSo9ZDzhg0MU3eKqKuhzcHyh8Dmtt3JER 8YHS4phKLE+9pb5GNVRhedC720e5F1I6zSSHmuGl09/EmCc6RgjE7c77CX0Wlx3Bq94F x1N1iFpcOu7G53bP9kXU5l8cl7J+YpbnZeoZg= Received: by 10.223.55.8 with SMTP id s8mr7808899fag.141.1309125282493; Sun, 26 Jun 2011 14:54:42 -0700 (PDT) Received: from [192.168.1.10] ([178.121.217.110]) by mx.google.com with ESMTPS id h28sm3125113faj.29.2011.06.26.14.54.40 (version=SSLv3 cipher=OTHER); Sun, 26 Jun 2011 14:54:41 -0700 (PDT) Message-ID: <4E07AA9F.90509@gmail.com> Date: Mon, 27 Jun 2011 00:54:39 +0300 From: NutipA User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: questions@FreeBSD.org Content-Type: multipart/mixed; boundary="------------080205010603090104070605" Cc: Subject: Traffic ignore security policies for SA in IPSec site-to-site connection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2011 22:21:48 -0000 This is a multi-part message in MIME format. --------------080205010603090104070605 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit First af all, I apologize if I chose the wrong mailing list. I need to establish IPSec site-to-site connection between two offices as it shown below: LAN1 (192.168.1.0/24) | FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPTP(X.X.X.X) | | internet | | FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPPoE(X.X.X.X) | LAN2 (192.168.10.0/24) The connection between two gatways has been successfully established. All traffic between two VPN-gateways with global addresses X.X.X.X and Y.Y.Y.Y has been sucessfully encapsulated and encrypted. I see this traffic as packets with ESP headers in my sniffer. Then I added static routes to each LAN. But when I ping any private address in LAN2 from my computer (192.168.1.102) I see the next output in tcpdump on LAN1 gateway: 19:33:42.506971 IP X.X.X.X > Y.Y.Y.Y : IP 192.168.1.102 > 192.168.10.1: ICMP echo request, id 13941, seq 4, length 64 (ipip-proto-4) Traffic hasn't been encrypted and processed by ipsec! It has rather been placed only in gif-interface and of course remote site is not responding. So IP-packets ignore security policies for SA: 192.168.10.0/24[any] 192.168.1.0/24[any] any in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/use spid=6 seq=1 pid=23533 refcnt=1 192.168.1.0/24[any] 192.168.10.0/24[any] any out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/use spid=5 seq=0 pid=23533 refcnt=1 As I understand, the traffic from client machines in any direction should look like this: 21:34:16.486698 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0x043488c2,seq=0x66), length 116 Please help me to solve this strange problem. I have created a test environment (5 virtual machines) and everything was ok! The only difference was that the tests were run in a several private local networks, without ISP and pptp/pppoe-interfaces. Also, on the advice of other people I need to try it without gif-interface, but all my tests was made according by handbook article. P.S. I have attached my configs and output of any commands, because my message is too big. --------------080205010603090104070605 Content-Type: text/plain; name="ipsec_configs.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipsec_configs.txt" WzE5OjAwXXJvb3RAYmV0YTovaG9tZS9OdXRpcEEjIGNhdCAvdXNyL2xvY2FsL2V0Yy9yYWNv b24vc2V0a2V5LmNvbmYKZmx1c2g7CnNwZGZsdXNoOwojIFRvIHRoZSBzZWNvbmQgb2ZmaWNl IG5ldHdvcmsKc3BkYWRkIDE5Mi4xNjguMS4wLzI0IDE5Mi4xNjguMTAuMC8yNCBhbnkgLVAg b3V0IGlwc2VjIGVzcC90dW5uZWwvWC5YLlguWC1ZLlkuWS5ZL3JlcXVpcmU7CnNwZGFkZCAx OTIuMTY4LjEwLjAvMjQgMTkyLjE2OC4xLjAvMjQgYW55IC1QIGluIGlwc2VjIGVzcC90dW5u ZWwvWS5ZLlkuWS1YLlguWC5YL3JlcXVpcmU7CgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KClsx OTowMl1yb290QGJldGE6L2hvbWUvTnV0aXBBIyBjYXQgL3Vzci9sb2NhbC9ldGMvcmFjb29u L3JhY29vbi5jb25mCnBhdGggICAgcHJlX3NoYXJlZF9rZXkgICIvdXNyL2xvY2FsL2V0Yy9y YWNvb24vcHNrLnR4dCI7ICNsb2NhdGlvbiBvZiBwcmUtc2hhcmVkIGtleSBmaWxlCmxvZyAg ICAgZGVidWc7ICAjbG9nIHZlcmJvc2l0eSBzZXR0aW5nOiBzZXQgdG8gJ25vdGlmeScgd2hl biB0ZXN0aW5nIGFuZCBkZWJ1Z2dpbmcgaXMgY29tcGxldGUKCnBhZGRpbmcgIyBvcHRpb25z IGFyZSBub3QgdG8gYmUgY2hhbmdlZAp7CiAgICAgICAgbWF4aW11bV9sZW5ndGggIDIwOwog ICAgICAgIHJhbmRvbWl6ZSAgICAgICBvZmY7CiAgICAgICAgc3RyaWN0X2NoZWNrICAgIG9m ZjsKICAgICAgICBleGNsdXNpdmVfdGFpbCAgb2ZmOwp9Cgp0aW1lciAgICMgdGltaW5nIG9w dGlvbnMuIGNoYW5nZSBhcyBuZWVkZWQKewogICAgICAgIGNvdW50ZXIgICAgICAgICA1Owog ICAgICAgIGludGVydmFsICAgICAgICAyMCBzZWM7CiAgICAgICAgcGVyc2VuZCAgICAgICAg IDE7CiMgICAgICAgbmF0dF9rZWVwYWxpdmUgIDE1IHNlYzsKICAgICAgICBwaGFzZTEgICAg ICAgICAgMzAgc2VjOwogICAgICAgIHBoYXNlMiAgICAgICAgICAxNSBzZWM7Cn0KCmxpc3Rl biAgIyBhZGRyZXNzIFtwb3J0XSB0aGF0IHJhY29vbiB3aWxsIGxpc3RlbmluZyBvbgp7CiAg ICAgICAgaXNha21wICAgICAgICAgIFguWC5YLlggWzUwMF07CiAgICAgICAgaXNha21wX25h dHQgICAgIFguWC5YLlggWzQ1MDBdOwp9CgpyZW1vdGUgIFkuWS5ZLlkgWzUwMF0KewogICAg ICAgIGV4Y2hhbmdlX21vZGUgICBtYWluLGFnZ3Jlc3NpdmU7CiAgICAgICAgZG9pICAgICAg ICAgICAgIGlwc2VjX2RvaTsKICAgICAgICBzaXR1YXRpb24gICAgICAgaWRlbnRpdHlfb25s eTsKICAgICAgICBteV9pZGVudGlmaWVyICAgYWRkcmVzcyBYLlguWC5YOwogICAgICAgIHBl ZXJzX2lkZW50aWZpZXIgICAgICAgIGFkZHJlc3MgWS5ZLlkuWTsKICAgICAgICBsaWZldGlt ZSAgICAgICAgdGltZSA4IGhvdXI7CiAgICAgICAgcGFzc2l2ZSAgICAgICAgIG9mZjsKICAg ICAgICBwcm9wb3NhbF9jaGVjayAgb2JleTsKIyAgICAgICBuYXRfdHJhdmVyc2FsICAgb2Zm OwogICAgICAgIGdlbmVyYXRlX3BvbGljeSBvZmY7CgogICAgICAgICAgICAgICAgICAgICAg ICBwcm9wb3NhbCB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZW5jcnlwdGlv bl9hbGdvcml0aG0gICAgM2RlczsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBo YXNoX2FsZ29yaXRobSAgICAgICAgICBtZDU7CiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgYXV0aGVudGljYXRpb25fbWV0aG9kICAgcHJlX3NoYXJlZF9rZXk7CiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgbGlmZXRpbWUgdGltZSAgICAgICAgICAgMzAgc2Vj OwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoX2dyb3VwICAgICAgICAgICAg ICAgIDE7CiAgICAgICAgICAgICAgICAgICAgICAgIH0KfQoKc2FpbmZvICAoYWRkcmVzcyAx OTIuMTY4LjEuMC8yNCBhbnkgYWRkcmVzcyAxOTIuMTY4LjEwLjAvMjQgYW55KSAgICAjIGFk ZHJlc3MgJG5ldHdvcmsvJG5ldG1hc2sgJHR5cGUgYWRkcmVzcyAkbmV0d29yay8kbmV0bWFz CnsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIyAkbmV0d29yayBtdXN0IGJlIHRo ZSB0d28gaW50ZXJuYWwgbmV0d29ya3MgeW91IGFyZSBqb2luaW5nLgogICAgICAgIHBmc19n cm91cCAgICAgICAxOwogICAgICAgIGxpZmV0aW1lICAgICAgICB0aW1lICAgIDM2MDAwIHNl YzsKICAgICAgICBlbmNyeXB0aW9uX2FsZ29yaXRobSAgICAzZGVzLGRlczsKICAgICAgICBh dXRoZW50aWNhdGlvbl9hbGdvcml0aG0gICAgICAgIGhtYWNfbWQ1LGhtYWNfc2hhMTsKICAg ICAgICBjb21wcmVzc2lvbl9hbGdvcml0aG0gICBkZWZsYXRlOwp9CgotLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0KClsxODo1M11yb290QGJldGE6L2hvbWUvTnV0aXBBIyBpZmNvbmZpZwplbTA6 IGZsYWdzPTg4NDM8VVAsQlJPQURDQVNULFJVTk5JTkcsU0lNUExFWCxNVUxUSUNBU1Q+IG1l dHJpYyAwIG10dSAxNTAwCiAgICAgICAgb3B0aW9ucz0yMDk4PFZMQU5fTVRVLFZMQU5fSFdU QUdHSU5HLFZMQU5fSFdDU1VNLFdPTF9NQUdJQz4KICAgICAgICBldGhlciAwMDoxNzozMTo1 NTphNjowNwogICAgICAgIGluZXQgMTkyLjE2OC4xLjIgbmV0bWFzayAweGZmZmZmZjAwIGJy b2FkY2FzdCAxOTIuMTY4LjEuMjU1CiAgICAgICAgbWVkaWE6IEV0aGVybmV0IGF1dG9zZWxl Y3QgKDEwMDBiYXNlVCA8ZnVsbC1kdXBsZXg+KQogICAgICAgIHN0YXR1czogYWN0aXZlCjxv dXRwdXQgb21taXR0ZWQ+CnR1bjA6IGZsYWdzPTgxNTE8VVAsUE9JTlRPUE9JTlQsUlVOTklO RyxQUk9NSVNDLE1VTFRJQ0FTVD4gbWV0cmljIDAgbXR1IDE0MDAKICAgICAgICBvcHRpb25z PTgwMDAwPExJTktTVEFURT4KICAgICAgICBpbmV0IFguWC5YLlggLS0+IDgxLjI1LjMzLjEg bmV0bWFzayAweGZmZmZmZmZmIAogICAgICAgIE9wZW5lZCBieSBQSUQgMzIzMzgKZ2lmMDog ZmxhZ3M9ODA1MTxVUCxQT0lOVE9QT0lOVCxSVU5OSU5HLE1VTFRJQ0FTVD4gbWV0cmljIDAg bXR1IDEyODAKICAgICAgICB0dW5uZWwgaW5ldCBYLlguWC5YIC0tPiBZLlkuWS5ZCiAgICAg ICAgaW5ldCAxOTIuMTY4LjEuMiAtLT4gMTkyLjE2OC4xMC4xIG5ldG1hc2sgMHhmZmZmZmYw MCAKICAgICAgICBvcHRpb25zPTE8QUNDRVBUX1JFVl9FVEhJUF9WRVI+CgotLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0KClsxODo1Ml1yb290QGJldGE6L2hvbWUvTnV0aXBBIyBzZXRrZXkgLUQK WC5YLlguWCBZLlkuWS5ZCiAgICAgICAgZXNwIG1vZGU9dHVubmVsIHNwaT0yMzM4OTI2NTEo MHgwZGYwZWIyYikgcmVxaWQ9MCgweDAwMDAwMDAwKQogICAgICAgIEU6IDNkZXMgIGFjYzVm YmIzIDdlNmNiNTQ2IGIzODllNDVjIGI4NTNlZTIyCiAgICAgICAgQTogaG1hYy1tZDUgIDVj ZjI3MTIxIGE4NjdjYmIxIDQ1MGQ0YzZjIDY5NjZkMGQ3CiAgICAgICAgc2VxPTB4MDAwMDAw NTYgcmVwbGF5PTQgZmxhZ3M9MHgwMDAwMDAwMCBzdGF0ZT1tYXR1cmUgCiAgICAgICAgY3Jl YXRlZDogSnVuICA2IDIxOjE4OjUyIDIwMTEgICBjdXJyZW50OiBKdW4gIDYgMjE6MjE6MTgg MjAxMQogICAgICAgIGRpZmY6IDE0NihzKSAgICBoYXJkOiAzNjAwMChzKSAgc29mdDogMjg4 MDAocykKICAgICAgICBsYXN0OiBKdW4gIDYgMjE6MjE6MDEgMjAxMSAgICAgIGhhcmQ6IDAo cykgICAgICBzb2Z0OiAwKHMpCiAgICAgICAgY3VycmVudDogMTE2MjQoYnl0ZXMpICAgaGFy ZDogMChieXRlcykgIHNvZnQ6IDAoYnl0ZXMpCiAgICAgICAgYWxsb2NhdGVkOiA4NiAgIGhh cmQ6IDAgc29mdDogMAogICAgICAgIHNhZGJfc2VxPTMgcGlkPTE0NTMgcmVmY250PTIKWS5Z LlkuWSBYLlguWC5YCiAgICAgICAgZXNwIG1vZGU9dHVubmVsIHNwaT0xMDI4Njc1NzQoMHgw NjIxYTI3NikgcmVxaWQ9MCgweDAwMDAwMDAwKQogICAgICAgIEU6IDNkZXMgIDA1ZDhkZmZm IGRkZGQ4MDk5IGRiYzMyYzFiIGMzZWE4ZTU5CiAgICAgICAgQTogaG1hYy1tZDUgIGVjY2Mx ZTdiIGI5N2UzNmMzIDZhZDY4YzJlIDMzZDEzNWFjCiAgICAgICAgc2VxPTB4MDAwMDAwMDAg cmVwbGF5PTQgZmxhZ3M9MHgwMDAwMDAwMCBzdGF0ZT1tYXR1cmUgCiAgICAgICAgY3JlYXRl ZDogSnVuICA2IDIxOjE4OjUyIDIwMTEgICBjdXJyZW50OiBKdW4gIDYgMjE6MjE6MTggMjAx MQogICAgICAgIGRpZmY6IDE0NihzKSAgICBoYXJkOiAzNjAwMChzKSAgc29mdDogMjg4MDAo cykKICAgICAgICBsYXN0OiAgICAgICAgICAgICAgICAgICAgICAgICAgIGhhcmQ6IDAocykg ICAgICBzb2Z0OiAwKHMpCiAgICAgICAgY3VycmVudDogMChieXRlcykgICAgICAgaGFyZDog MChieXRlcykgIHNvZnQ6IDAoYnl0ZXMpCiAgICAgICAgYWxsb2NhdGVkOiAwICAgIGhhcmQ6 IDAgc29mdDogMAogICAgICAgIHNhZGJfc2VxPTEgcGlkPTE0NTMgcmVmY250PTEKCi0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLQoKWzE4OjUxXXJvb3RAYmV0YTovaG9tZS9OdXRpcEEjIHNldGtl eSAtRFAKMTkyLjE2OC4xMC4wLzI0W2FueV0gMTkyLjE2OC4xLjAvMjRbYW55XSBhbnkKICAg ICAgICBpbiBpcHNlYwogICAgICAgIGVzcC90dW5uZWwvWS5ZLlkuWS1YLlguWC5YL3VzZQog ICAgICAgIHNwaWQ9NiBzZXE9MSBwaWQ9MjM1MzMKICAgICAgICByZWZjbnQ9MQoxOTIuMTY4 LjEuMC8yNFthbnldIDE5Mi4xNjguMTAuMC8yNFthbnldIGFueQogICAgICAgIG91dCBpcHNl YwogICAgICAgIGVzcC90dW5uZWwvWC5YLlguWC1ZLlkuWS5ZL3VzZQogICAgICAgIHNwaWQ9 NSBzZXE9MCBwaWQ9MjM1MzMKICAgICAgICByZWZjbnQ9MQoKLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tCgpbMTk6MDNdcm9vdEBiZXRhOi9ob21lL051dGlwQSMgbmV0c3RhdCAtcm4KUm91dGlu ZyB0YWJsZXMKCkludGVybmV0OgpEZXN0aW5hdGlvbiAgICAgICAgR2F0ZXdheSAgICAgICAg ICAgIEZsYWdzICAgIFJlZnMgICAgICBVc2UgIE5ldGlmIEV4cGlyZQpkZWZhdWx0ICAgICAg ICAgICAgWi5aLlouWiAgICAgICAgIFVHUyAgICAgICAgIDAgICAgNzQyNjEgICB0dW4wCjxv dXRwdXQgb21taXR0ZWQ+CjE5Mi4xNjguMS4wLzI0ICAgICBsaW5rIzEgICAgICAgICAgICAg VSAgICAgICAgICAgMiAgMTA5NzEwNiAgICBlbTAKMTkyLjE2OC4xLjIgICAgICAgIGxpbmsj MSAgICAgICAgICAgICBVSFMgICAgICAgICAwICAgICAgICAwICAgIGxvMAoxOTIuMTY4LjEw LjAvMjQgICAgMTkyLjE2OC4xMC4xICAgICAgIFVHUyAgICAgICAgIDAgICAgICA1NDkgICBn aWYwCjE5Mi4xNjguMTAuMSAgICAgICBsaW5rIzggICAgICAgICAgICAgVUggICAgICAgICAg MCAgICAgNDIzMCAgIGdpZjAKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQoKWzE4OjU3XXJvb3RA YmV0YTovaG9tZS9OdXRpcEEjIGNhdCAvZXRjL3JjLmNvbmYgCnpmc19lbmFibGU9IllFUyIK aG9zdG5hbWU9ImJldGEiCmlmY29uZmlnX2VtMD0iaW5ldCAxOTIuMTY4LjEuMiBuZXRtYXNr IDI1NS4yNTUuMjU1LjAgLXJ4Y3N1bSAtdHhjc3VtIC10c28iCnNzaGRfZW5hYmxlPSJZRVMi CmlmY29uZmlnX3ZyMD0iREhDUCIKZ2F0ZXdheV9lbmFibGU9IllFUyIKZmlyZXdhbGxfZW5h YmxlPSJZRVMiCmZpcmV3YWxsX25hdF9lbmFibGU9IllFUyIKZHVtbXluZXRfZW5hYmxlPSJZ RVMiCmZpcmV3YWxsX3R5cGU9Ii9ldGMvZmlyZXdhbGwiCgotLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0KCg== --------------080205010603090104070605--