IPSec tunneling problem

Thu, 29 Mar 2007 05:11:24 -0800 

Hello!
We have a central office which is separated from the Internet with firewall running Linux 2.4 and FreeSWAN. I'm trying to create an IPSec tunnel to the central office from another small branch office, using FreeBSD 6.2 with it's integrated IPSec and ipsec-tools. The tunneling is generally working, both internal networks can see each other, but I'm having some problems with traffic originating from the FreeBSD firewall itself. 


The central office has internal network 192.168.1.0/24 and firewall's 
external IP is, let's say, A.B.C.D. The branch office has internal network 
192.168.5.0/24 and firewall's external IP is W.X.Y.Z.


The policies in /etc/ipsec.conf are as follows.

spdadd 192.168.5.0/24 192.168.1.0/24 any -P out ipsec \
        esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd 192.168.1.0/24 192.168.5.0/24 any -P in ipsec \
        esp/tunnel/A.B.C.D-W.X.Y.Z/require;


The traffic between hosts in 192.168.1.0/24 and 192.168.5.0/24 is being 
correctly tunnelled, i.e. when I watch the traffic on firewall's external 
interface with tcpdump, I can see only ESP traffic between A.B.C.D and 
W.X.Y.Z, and the internal IPs don't appear anywhere.



I can even successfully initiate *some* tunnelled traffic from the firewall 
machine itself, for example

ping -S 192.168.5.1 192.168.1.3
works correctly, as does
telnet -s 192.168.5.1 192.168.1.3 53


However, the main reason why I want to have internal traffic originating 
from the firewall host itself is that I'd like to run an internal DNS 
server with slave zones for my internal network (*.in-addr.arpa) so all the 
DNS traffic wouldn't go through the VPN. The master for these zones is 
192.168.1.3. I've configured named.conf with following


options
{
        ...
        listen-on { 127.0.0.1; 192.168.5.1; };
        query source address 192.168.5.1;
        forwarders {
                192.168.1.3;
        };
        ...
};
...

zone "1.168.192.in-addr.arpa" {
        type slave;
        file "slave/1.168.192.in-addr.arpa";
        masters { 192.168.1.3; };
};
...


However, when I start named and watch the traffic on firewall's external 
interface with tcpdump, I can see actual packets between 192.168.5.1 and 
192.168.1.3.



What is the difference between this DNS traffic and things like telnet -s, 
which causes the DNS traffic to not be tunneled?


--
Toomas Aas
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"














    











					Reply via email to