IPsec support in FreeBSD

Sun, 22 Aug 2010 14:44:26 -0700 

Hi,

I'm running 8.1-RELEASE on amd64.

I'm connecting to an IPsec VPN (IPv4, dynamic keying using racoon) from behind
a NAT and I'm having strange issues working with it. IPsec negotiation
succeeds but there are problems with sending traffic over the tunnel.

To be able to actually able to send a packet across tunnel, I've to run a
tcpdump on the ethernet interface, then only I starts getting replies for my
packets, and SA gets established on the server (as per log of racoon
maintained by server). This is weird but this' the only work around for me to
start communicating over my tunnel.

I'm running a custom kernel[1]. Following are the values of sysctl knobs with
'ipsec' in their OID, in case my :

#v+
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 1
net.inet.ipsec.filtertunnel: 0
net.inet.ipsec.crypto_support: 50331648
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 1
net.inet6.ipsec6.filtertunnel: 0
#v-

I was using pf as the firewall, but I disabled it using `pfctl -d` to avoid
any possibilities of issues due to firewall. I'm wondering if this is related
to kern/122562[2].

Also after connecting/disconnecting the tunnel after n times, I noticed my
IPv4 address is gone from the interfaces, some messages appeared in my
dmesg[3] with beep sounds generated. And this happened yesterday also. To
workaround this I'd to re-assign IPv4 address to the interface.

References:
[1]  http://people.freebsd.org/~ashish/ipsec/CHATEAU
[2]  http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/122562
[3]  http://people.freebsd.org/~ashish/ipsec/messages.kern

Thanks in advance
-- 
Ashish SHUKLA      | GPG: F682 CDCC 39DC 0FEA E116  20B6 C746 CFA9 E74F A4B0
freebsd.org!ashish | http://people.freebsd.org/~ashish/

“The best way to predict the future is to implement it.” (David
Heinemeier Hansson)

Attachment: pgpPLbpYBWMmZ.pgp
Description: PGP signature

Reply via email to