We have an initial pair of PFsense firewalls in the 212.30.17.16/28 running
1.0.1 release embedded
.18 is the CARP address of the public interface and .19 and .20 are the native
address of the FWs
These FWs have established IPSec SAs with partners for a few months now.
To test an new IPsec connection I created another set of pfSense FWs in
212.30.17.16/28
.21 is the CARP IP and .22 and .23 the interfaces. These run 1.0.1 release
installed from the liveCD/install CDs
The original FWs have 10.0.10.0/24 behind them as one of their private networks
and to test I would like to link 10.0.10.0/24 via IPSec to 10.0.100.0/24 which
I created behind the new firewalls.
All the FWs share an O&M network of 10.0.20.0/24
With rules to allow ICMP access to and from 212.30.17.16/28 all the CARP and
real IPs in 212.30.17.16/28 can ping each other
Ultimaly what I am trying to learn is if I can 1:1 NAT hosts on 10.0.10.0/24
and have them apear as public IP to a partner over an IPsec link. This is the
no private IPs to be used over a VPN setup.
So if anyone can give me tips on this as well I would be very grateful.
Below is as much relavent detail as I can gather to help debug this problem
the PSK on the FWs is correct
This is the relavant section of the racoon.conf from the original FW pair
listen {
isakmp 212.30.17.18 [500];
}
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 212.30.17.22 {
exchange_mode main;
my_identifier address "212.30.17.18";
peers_identifier address 212.30.17.22;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 86400 secs;
}
lifetime time 86400 secs;
}
sainfo address 10.0.10.0/24 any address 10.0.100.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;
The racoon.conf from the new FW pair
listen {
isakmp 212.30.17.21 [500];
}
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 212.30.17.18 {
exchange_mode main;
my_identifier address "212.30.17.22";
peers_identifier address 212.30.17.18;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 86400 secs;
}
lifetime time 86400 secs;
}
sainfo address 10.0.100.0/24 any address 10.0.10.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;
}
The IPSec log on the new FWs
Feb 7 14:48:04 racoon: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
Feb 7 14:48:04 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct
2004 (http://www.openssl.org/)
Feb 7 14:48:04 racoon: INFO: 212.30.17.21[500] used as isakmp port (fd=13)
Feb 7 14:48:04 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Feb 7 14:48:04 racoon: ERROR: such policy already exists. anyway replace it:
10.0.20.0/24[0] 10.0.20.22/32[0] proto=any dir=in
Feb 7 14:48:04 racoon: ERROR: such policy already exists. anyway replace it:
10.0.10.0/24[0] 10.0.100.0/24[0] proto=any dir=in
Feb 7 14:48:04 racoon: ERROR: such policy already exists. anyway replace it:
10.0.20.22/32[0] 10.0.20.0/24[0] proto=any dir=out
Feb 7 14:48:04 racoon: ERROR: such policy already exists. anyway replace it:
10.0.100.0/24[0] 10.0.10.0/24[0] proto=any dir=out
I get the racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid
argument on the original FWs as well
This is raccon started up in debug mode on the active FW of the new pair
# /usr/local/sbin/racoon -f /var/etc/racoon.conf -F -dddddd
Foreground mode.
2007-02-07 16:39:22: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
2007-02-07 16:39:22: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct
2004 (http://www.openssl.org/)
2007-02-07 16:39:22: DEBUG: call pfkey_send_register for AH
2007-02-07 16:39:22: DEBUG: call pfkey_send_register for ESP
2007-02-07 16:39:22: DEBUG: call pfkey_send_register for IPCOMP
2007-02-07 16:39:22: DEBUG: reading config file /var/etc/racoon.conf
2007-02-07 16:39:22: DEBUG2: lifetime = 86400
2007-02-07 16:39:22: DEBUG2: lifebyte = 0
2007-02-07 16:39:22: DEBUG2: encklen=0
2007-02-07 16:39:22: DEBUG2: p:1 t:1
2007-02-07 16:39:22: DEBUG2: 3DES-CBC(5)
2007-02-07 16:39:22: DEBUG2: SHA(2)
2007-02-07 16:39:22: DEBUG2: 1024-bit MODP group(2)
2007-02-07 16:39:22: DEBUG2: pre-shared key(1)
2007-02-07 16:39:22: DEBUG2:
2007-02-07 16:39:22: DEBUG: compression algorithm can not be checked because
sadb message doesn't support it.
2007-02-07 16:39:22: DEBUG2: parse successed.
2007-02-07 16:39:22: INFO: 212.30.17.21[500] used as isakmp port (fd=6)
2007-02-07 16:39:22: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid
argument
2007-02-07 16:39:22: DEBUG: get pfkey X_SPDDUMP message
2007-02-07 16:39:22: DEBUG2:
02120000 0a000100 03000000 461d0100 03000500 ff180000 10020000 0a001400
00000000 00000000 03000600 ff200000 10020000 0a001416 00000000 00000000
02001200 01000100 35000000 00000000
2007-02-07 16:39:22: DEBUG: get pfkey X_SPDDUMP message
2007-02-07 16:39:22: DEBUG2:
02120000 0f000100 02000000 461d0100 03000500 ff180000 10020000 0a000a00
00000000 00000000 03000600 ff180000 10020000 0a006400 00000000 00000000
07001200 02000100 38000000 00000000 28003200 02031c40 10020000 d41e1112
00000000 00000000 10020000 d41e1115 00000000 00000000
2007-02-07 16:39:22: DEBUG: sub:0xbfbfe5b0: 10.0.10.0/24[0] 10.0.100.0/24[0]
proto=any dir=in
2007-02-07 16:39:22: DEBUG: db :0x80bb408: 10.0.20.0/24[0] 10.0.20.22/32[0]
proto=any dir=in
2007-02-07 16:39:22: DEBUG: get pfkey X_SPDDUMP message
2007-02-07 16:39:22: DEBUG2:
02120000 0a000100 01000000 461d0100 03000500 ff200000 10020000 0a001416
00000000 00000000 03000600 ff180000 10020000 0a001400 00000000 00000000
02001200 01000200 36000000 00000000
2007-02-07 16:39:22: DEBUG: sub:0xbfbfe5b0: 10.0.20.22/32[0] 10.0.20.0/24[0]
proto=any dir=out
2007-02-07 16:39:22: DEBUG: db :0x80bb408: 10.0.20.0/24[0] 10.0.20.22/32[0]
proto=any dir=in
2007-02-07 16:39:22: DEBUG: sub:0xbfbfe5b0: 10.0.20.22/32[0] 10.0.20.0/24[0]
proto=any dir=out
2007-02-07 16:39:22: DEBUG: db :0x80bba08: 10.0.10.0/24[0] 10.0.100.0/24[0]
proto=any dir=in
2007-02-07 16:39:22: DEBUG: get pfkey X_SPDDUMP message
2007-02-07 16:39:22: DEBUG2:
02120000 0f000100 00000000 461d0100 03000500 ff180000 10020000 0a006400
00000000 00000000 03000600 ff180000 10020000 0a000a00 00000000 00000000
07001200 02000200 37000000 00000000 28003200 02031b40 10020000 d41e1115
00000000 00000000 10020000 d41e1112 00000000 00000000
2007-02-07 16:39:22: DEBUG: sub:0xbfbfe5b0: 10.0.100.0/24[0] 10.0.10.0/24[0]
proto=any dir=out
2007-02-07 16:39:22: DEBUG: db :0x80bb408: 10.0.20.0/24[0] 10.0.20.22/32[0]
proto=any dir=in
2007-02-07 16:39:22: DEBUG: sub:0xbfbfe5b0: 10.0.100.0/24[0] 10.0.10.0/24[0]
proto=any dir=out
2007-02-07 16:39:22: DEBUG: db :0x80bba08: 10.0.10.0/24[0] 10.0.100.0/24[0]
proto=any dir=in
2007-02-07 16:39:22: DEBUG: sub:0xbfbfe5b0: 10.0.100.0/24[0] 10.0.10.0/24[0]
proto=any dir=out
2007-02-07 16:39:22: DEBUG: db :0x80bbe08: 10.0.20.22/32[0] 10.0.20.0/24[0]
proto=any dir=out
and the only messages after this are DEBUG: msg 1 not interesting
finaly netstat -sn on the new FW pair shows all the counters in the
fastipsec:
ap:
and esp:
sections as being O
I don't know what else I can do to debug this at present.
Kind regards,
Paul Seymour
This e-mail has been scanned for viruses by the Cable & Wireless e-mail
security system - powered by MessageLabs. For more information on a proactive
managed e-mail security service, visit http://www.cw.com/uk/emailprotection/
The information contained in this e-mail is confidential and may also be
subject to legal privilege. It is intended only for the recipient(s) named
above. If you are not named above as a recipient, you must not read, copy,
disclose, forward or otherwise use the information contained in this email. If
you have received this e-mail in error, please notify the sender (whose contact
details are above) immediately by reply e-mail and delete the message and any
attachments without retaining any copies.
Cable and Wireless plc
Registered in England and Wales.Company Number 238525
Registered office: 7th Floor, The Point, 37 North Wharf Road, London W2 1LA
