Date: Tue, 30 Dec 2014 16:22:05 +1100 From: Aristedes Maniatis <ari@ish.com.au> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: ipsec routing issue Message-ID: <54A2367D.8030600@ish.com.au> In-Reply-To: <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> References: <54A17F33.2020708@ish.com.au> <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30/12/2014 4:23am, Bjoern A. Zeeb wrote: > >> On 29 Dec 2014, at 16:20 , Aristedes Maniatis <ari@ish.com.au> wrote: >> >> But how does the OS know where to send traffic to $remote_internal_address? Is that something racoon takes care of? > > No, there are no routes involved; your security policy deals with this. setkey -DP is your friend. You can have racoon inject the policy for you if you want, otherwise ipsec.conf is where it goes. # setkey -DP 203.29.62.128/25[any] 10.100.0.0/16[any] any in ipsec ipcomp/tunnel/202.161.111.54-202.127.223.110/use esp/tunnel/202.161.111.54-202.127.223.110/unique#16390 spid=26 seq=3 pid=83060 refcnt=1 203.29.62.128/25[any] 10.101.0.0/16[any] any in ipsec ipcomp/tunnel/202.161.111.54-202.127.223.110/use esp/tunnel/202.161.111.54-202.127.223.110/unique#16392 spid=28 seq=2 pid=83060 refcnt=1 10.100.0.0/16[any] 203.29.62.128/25[any] any out ipsec ipcomp/tunnel/202.127.223.110-202.161.111.54/use esp/tunnel/202.127.223.110-202.161.111.54/unique#16389 spid=25 seq=1 pid=83060 refcnt=1 10.101.0.0/16[any] 203.29.62.128/25[any] any out ipsec ipcomp/tunnel/202.127.223.110-202.161.111.54/use esp/tunnel/202.127.223.110-202.161.111.54/unique#16391 spid=27 seq=0 pid=83060 refcnt=1 Does that look right for a setup with two tunnels (two networks at one end) and compression enabled? If racoon is showing the tunnels as UP: 2014-12-30 12:01:48: INFO: initiate new phase 2 negotiation: 202.127.223.110[500]<=>202.161.111.54[500] 2014-12-30 12:01:48: INFO: IPsec-SA established: ESP/Tunnel 202.127.223.110[500]->202.161.111.54[500] spi=26332262(0x191cc66) 2014-12-30 12:01:48: INFO: IPsec-SA established: IPCOMP/Tunnel 202.127.223.110[500]->202.161.111.54[500] spi=1336(0x538) 2014-12-30 12:01:48: INFO: IPsec-SA established: ESP/Tunnel 202.127.223.110[500]->202.161.111.54[500] spi=91459320(0x5738ef8) 2014-12-30 12:01:48: INFO: IPsec-SA established: IPCOMP/Tunnel 202.127.223.110[500]->202.161.111.54[500] spi=32553(0x7f29) Am I right in saying that I would not get this far if setkey wasn't already correct? But still I cannot ping the remote internal IP (203.29.62.129). I also notice that other addresses in the remote network except for the remote firewall itself are not sent through the tunnel. I guess I'll need to add a route for those after all. Are you able to suggest my next step in diagnosis. Everything seems to be working... other than traffic going into the tunnel and coming out the other side :-) >> 2. If I am using gif0 do I need to also use gif0 on the other end? This adds another layer of encapsulation which I need to remove at the remote firewall don’t I? > > Yes. Then I think the FreeBSD handbook really needs adjustment because it explains that gif is a definite requirement. >> 3. What does this mean: >> >> ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff >> >> Is that mask for the remote end or for the local end? > > Or just to be there. > > >> 4. I'm using pf for a firewall. Other than allowing isakmp, esp and ipencap through in both directions, can I control the traffic inside the tunnel? Do I need to add rules for that traffic or will it always go through? > > For that you’ll need enc(4) to do it properly. Check the man page for settings. You might want to change them off the defaults. Until I recompile my kernel for ENC, can I assume that packet filter rules aren't going to be my problem here (other than the obvious rules which allow IPSec to be established, which is working). Thanks again Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54A2367D.8030600>