[pfSense] IPSec mobile clients and unanswered ARP requests

Wed, 06 Feb 2013 10:43:12 -0800 

Hello list,

My goal is to build a IPv4 IPSec tunnel between a mobile
GNU/Linux pluto(8) host and a static pfsense raccoon(8) host.

  Ubuntu 12.10 GNU/Linux AMD64
  Strongswan 4.5.2 (pluto)

  PFSense 2.0.1-RELEASE (i386)
  on Alix Alix2d13 hardware

It seems pluto(8) is encapsulating IP and sending it to
PFSense correctly, but hosts on the PFSense LAN cannot reply:

  # the host running pluto(8) connects to a PFSense LAN client
  192.168.0.22$ telnet 192.168.1.88 80

  192.168.0.1$ tcpdump -i wan  # the pluto's default router computer
  18:22:32.575725 IP 192.168.0.22.4500 > 12.34.56.78.4500: UDP-encap: 
ESP(spi=0xdeadbeef,seq=0x1), length 100

  12.34.56.78$ tcpdump -i wan  # the pfsense router's WAN
  18:22:32.604422 IP [pluto's wan-public-address] > 12.34.56.78: 
ESP(spi=0xdeadbeef,seq=0x1), length 100

  192.168.1.1$ tcpdump -i lan  # the same pfsense router's LAN
  18:22:32.673240 IP 192.168.1.55.39347 > 192.168.1.88.80: Flags [S], seq 
3091785373, win 14600, options [mss 1460,sackOK,TS val 5418801 ecr 0,nop,wscale 
7], length 0
  18:22:32.678002 ARP, Request who-has 192.168.1.55 tell 192.168.1.88, length 46
  --------------- !!!  -------
  --------------- !!!  -------
  Reply from 192.168.1.88 to telnet client fails here.

If I telnet in the oppossite direction the same
unanswered ARP broadcasts appear.

PROBLEM

So it seems that either pluto(8) is not correctly describing it's
origin IP in the ESP headers or racoon(8) is not parsing this
information?

PFSense clearly labels all IPSec tunnels (on Status/IPSec) with the
remote IP except for the mobile hosts using pluto(8) in which case
'Remote IP' is empty. The mobile hosts are behind NAT.

---- Racoon(8) PFSense config ----

  Phase 1 http://img.ctrlv.in/5112a38e19278.png
  Phase 2 http://img.ctrlv.in/5112a3c949e8e.png
  Mobile  http://img.ctrlv.in/5112a3df78259.png

---- Strongswan config ----

/etc/strongswan.conf:
  pluto {
      load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
  }

  libstrongswan {
      dh_exponent_ansi_x9_42 = no
  }

/etc/ipsec.conf:
  config setup
      charonstart=no
      plutostart=yes

  conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=1
      keyexchange=ikev1
      authby=secret

  conn here
      left=%defaultroute        # 192.168.0.22
      leftsourceip=%modeconfig  # 192.168.1.55
      right=12.34.56.78
      rightsubnet=192.168.1.0/24
      auto=start

/etc/ipsec.secrets:
  12.34.56.78 : PSK "0000111122223333"

Any idea where the problem lies that ends with the ARP broadcast?

Regards,
Michael
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to