Robert Johannes wrote:
On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:
Ok, I have done quite a bit of work since my last email, but I still
don't see visible progress. I did rebuild world and the kernel with the
NAT-T patches/support that you recommended. I have been playing around
with ipsec e.t.c.
I have created an esp tunnel between my two sites, and I am sending some
ping traffic to the remote end, but the packets don't seem to get
through. Here's a snippet of what I see on tcpdump:
14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \
IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \
length 64 (ipip-proto-4)
14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \
IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \
length 64 (ipip-proto-4)
Firstly have you set your DSL routers up to nat the ipencap protocol
back to your FreeBSD box? (IPencap is a IP payload protocol, not a TCP
or UDP payload, so you will probably need a prity advanced router to do
this). The packets you see here are not protected by IPSEC they are
just plain old IPENCAP packets. If they where IPSEC packets I would
expect to see ESP as the protocol and not see the encapsulated packet
header (Again when you get IPSEC working you are going to need to NAT
these packets to your freebsd boxes.)
From what I can tell, the kernel knows that it is to send the ping
request
from 192.168.1.254 to 192.168.0.254 through the tunnel mouths
190.41.95.135 and 201.240.165.191. But, there's no request from the
other end. Doing a tcpdump on the other side (192.168.0.254), nothing
is coming in. I have also done a ping from the latter machine to the
former, but with exactly the same problem. Nothing seems to get to the
other end.
The tunnel is not using racoon yet. I figure that I should be able to
see some traffic going back and forth before I use racoon to manage
keys. The tunnel was created by the following lines on one host, and
reversed on the other:
spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec
esp/tunnel/190.41.95.135-201.240.151.15/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec
esp/tunnel/201.240.151.15-190.41.95.135/require;
If any one can shed some more light on this, I would appreciate it.
From what I can see your /etc/ipsec.conf should look like this:
spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec
esp/tunnel/190.41.95.135-201.240.151.15/require;
spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec
esp/tunnel/201.240.151.15-190.41.95.135/require;
These rules may be wrong but your tunnel seems to be an IP protocol 4
payload which is ipencap (see /etc/protocols).
Hope this helps.
Tom
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
