Hi,
i faced weird for me situation, may somebody agree to help to win it,
please?
we need to see some http/s resources behind the Cisco PIX IPSEC
i'm trying to get working this schema:
SCHEMA (`nat before vpn' as i believe):
--------------
+-> a.a.0.1/16 LAN
|
+-> a.a.a.2/24 FreeBSD b.b.b.1 <-> c.c.c.1/24 IPSEC PEER PIX
| |
+ x.x.x.x <-------> y.y.y.y +
CONFIGURATION:
--------------
> uname -a
FreeBSD 8.2-STABLE #3: Tue Aug 2 15:39:33 EEST 2011 i386
> cat /etc/rc.conf
...
gateway_enable="YES"
cloned_interfaces="gif0"
ifconfig_bge0="inet x.x.x.x/25"
ifconfig_bge1="inet a.a.a.2/24"
ifconfig_gif0="inet b.b.b.1 c.c.c.1 tunnel x.x.x.x y.y.y.y"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
ipfw_enable="YES"
ipfw_nat_enable="YES"
...
in kernel i have:
options IPSEC
options IPSEC_DEBUG
device crypto
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=200
options IPDIVERT
options LIBALIAS
> cat /usr/local/etc/racoon/setkey.conf
flush;
spdflush;
spdadd b.b.b.1 c.c.c.0/24 any -P out ipsec \
esp/tunnel/x.x.x.x-y.y.y.y/require;
spdadd c.c.c.0/24 b.b.b.1 any -P in ipsec \
esp/tunnel/y.y.y.y-x.x.x.x/require;
> cat /etc/ipfw.conf
...
add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y
add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x
add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24
nat 100 config log if bge1 ip b.b.b.1 reverse
WHAT I DO:
--------------
1)
trying to ping IPSEC PEER from LAN
[email protected]> ping c.c.c.1
c.c.c.1 reply packets are coming in and are decrypted but replies doesn't reach
ping initiator a.a.a.20
box a.a.a.20 reports ping statistics:
450 packets transmitted, 0 packets received, 100.0% packet loss
at FreeBSD box i see:
user@FreeBSD> tcpdump -n -i gif0 host c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
...
13:27:18.122542 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2903,
length 64
13:27:19.123275 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2904,
length 64
13:27:20.124517 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2905,
length 64
13:27:21.125568 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2906,
length 64
on WAN i see this
user@FreeBSD> tcpdump -n -i bge0 esp
...
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y:
ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x:
ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y:
ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x:
ESP(spi=0x060bc3e3,seq=0x8), length 132
00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y:
ESP(spi=0xad597f86,seq=0x9), length 132
00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x:
ESP(spi=0x060bc3e3,seq=0x9), length 132
so, ipsec and ipfw_nat out works, but where are reply packets disappearing to
after coming to gif0 interface?
why no backward divert occures?
2)
trying to ping IPSEC PEER from FreeBSD box
[email protected]> ping c.c.c.1
everything works since no nat occures ...
[email protected]> tcpdump -n -i gif0 host c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
13:45:56.759567 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 213,
length 64
13:45:57.760745 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 214,
length 64
13:45:58.762787 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 215,
length 64
13:45:59.765493 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 216,
length 64
13:46:00.764619 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 217,
length 64
13:46:01.765676 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 218,
length 64
[email protected]> tcpdump -n -ettt -s0 -i bge0 host y.y.y.y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan11, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y:
ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x:
ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y:
ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x:
ESP(spi=0x060bc3e3,seq=0x8), length 132
00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y:
ESP(spi=0xad597f86,seq=0x9), length 132
00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x:
ESP(spi=0x060bc3e3,seq=0x9), length 132
so, is it possible to get it working?
if yes, where is my mistake, please?
--
Zeus V. Panchenko
JID:[email protected] GMT+2 (EET)
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
