Re: l2tp / ipsec follow up

Sun, 27 Jul 2014 10:48:33 -0700 

On 2014-07-27 08:06, Stefan Sieg wrote:

On 26.07.2014 17:34, Gordon Turner wrote:

But any attempt to reach the 192.168.2.0/24 network fails.



did you set the route on your clients accordingly, so that they know 
how to reach that network?


After connecting the VPN, I tried adding different routes on the client:

/sbin/route add 192.168.2.0/24 10.0.0.186

and when that didn't work I rebooted, connected the VPN and tried:

/sbin/route add 192.168.2.0/24 10.0.0.1


I admit that I have never needed to add routes before so I am starting 
from scratch here.



I also check the 'Send all traffic over VPN connection', but if I 
understand things correctly, the traffic gets to 10.0.0.1 and has no 
where to go.




pass in quick on egress proto udp from any to any port {500, 4500, 
1701} keep state



You don't need to forward l2tp on your router, it is encapsulated in 
ipsec.



pass quick proto { esp, ah } from any to any



As long as NAT is involved you dont need ESP in your pf.conf, it is 
encapsulated in UDP. You dont need AH.


Thanks for that, I have updated my pf.conf to:
```
set skip on pppx0

pass in quick on egress proto udp from any to any port {500, 4500} keep 
state

pass on enc0 from any to any keep state (if-bound)
```



Looking for some help with finishing this last piece, I am no longer
sure if it a pf issue, it might be a default route problem.


tcpdump and pfs log option are very usefull to see whats going on.



$ sudo tcpdump -ni pppx0
tcpdump: listening on pppx0, link-type LOOP

12:41:04.014922 10.0.0.75.54342 > 8.8.8.8.53: 39507+ SRV? 
_ldap._tcp.mythum.lan. (39)
12:41:05.783767 10.0.0.75.55149 > 8.8.8.8.53: 37421+ A? 
p01-streams.icloud.com. (40)
12:41:06.982890 10.0.0.75.54342 > 8.8.8.8.53: 39507+ SRV? 
_ldap._tcp.mythum.lan. (39)
12:41:08.454573 10.0.0.75.53042 > 8.8.8.8.53: 57936+ A? 
p21-calendars.icloud.com. (42)
12:41:09.464456 10.0.0.75.53042 > 8.8.8.8.53: 57936+ A? 
p21-calendars.icloud.com. (42)
12:41:12.493838 10.0.0.75.53042 > 8.8.8.8.53: 57936+ A? 
p21-calendars.icloud.com. (42)
12:41:13.513972 10.0.0.75.53042 > 8.8.8.8.53: 57936+ A? 
p21-calendars.icloud.com. (42)
12:41:14.444208 10.0.0.75.51500 > 8.8.8.8.53: 52450+ SRV? 
_kerberos._udp.MYTHUM.LAN. (43)
12:41:14.892284 10.0.0.75.55149 > 8.8.8.8.53: 37421+ A? 
p01-streams.icloud.com. (40)
12:41:15.474692 10.0.0.75.51500 > 8.8.8.8.53: 52450+ SRV? 
_kerberos._udp.MYTHUM.LAN. (43)
12:41:16.103557 10.0.0.75.54342 > 8.8.8.8.53: 39507+ SRV? 
_ldap._tcp.mythum.lan. (39)

tcpdump: WARNING: compensating for unaligned libpcap packets

12:41:16.574507 10.0.0.75.53042 > 8.8.8.8.53: 57936+ A? 
p21-calendars.icloud.com. (42)
12:41:18.493783 10.0.0.75.51500 > 8.8.8.8.53: 52450+ SRV? 
_kerberos._udp.MYTHUM.LAN. (43)
12:41:19.365219 10.0.0.75.49404 > 8.8.8.8.53: 56240+ A? 
12-courier.push.apple.com. (43)
12:41:19.574170 10.0.0.75.51500 > 8.8.8.8.53: 52450+ SRV? 
_kerberos._udp.MYTHUM.LAN. (43)
12:41:20.372149 10.0.0.75.49404 > 8.8.8.8.53: 56240+ A? 
12-courier.push.apple.com. (43)
12:41:22.664149 10.0.0.75.51500 > 8.8.8.8.53: 52450+ SRV? 
_kerberos._udp.MYTHUM.LAN. (43)
12:41:23.451963 10.0.0.75.49404 > 8.8.8.8.53: 56240+ A? 
12-courier.push.apple.com. (43)

12:41:24.453283 10.0.0.75 > 192.168.2.225: icmp: echo request

12:41:24.461780 10.0.0.75.49404 > 8.8.8.8.53: 56240+ A? 
12-courier.push.apple.com. (43)
12:41:24.461833 10.0.0.75.64324 > 8.8.8.8.53: 32547+ SRV? 
_kerberos._tcp.MYTHUM.LAN. (43)

12:41:25.453901 10.0.0.75 > 192.168.2.225: icmp: echo request

12:41:25.542776 10.0.0.75.64324 > 8.8.8.8.53: 32547+ SRV? 
_kerberos._tcp.MYTHUM.LAN. (43)
12:41:25.592847 10.0.0.75.53042 > 8.8.8.8.53: 57936+ A? 
p21-calendars.icloud.com. (42)

12:41:26.453321 10.0.0.75 > 192.168.2.225: icmp: echo request
12:41:27.453650 10.0.0.75 > 192.168.2.225: icmp: echo request

12:41:27.532806 10.0.0.75.49404 > 8.8.8.8.53: 56240+ A? 
12-courier.push.apple.com. (43)

12:41:28.463647 10.0.0.75 > 192.168.2.225: icmp: echo request

12:41:28.663012 10.0.0.75.64324 > 8.8.8.8.53: 32547+ SRV? 
_kerberos._tcp.MYTHUM.LAN. (43)
12:41:29.723006 10.0.0.75.64324 > 8.8.8.8.53: 32547+ SRV? 
_kerberos._tcp.MYTHUM.LAN. (43)




$ sudo tcpdump -ni enc0
tcpdump: listening on enc0, link-type ENC

12:42:13.722514 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:14.092443 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:14.742843 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:15.163667 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:17.752480 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:18.212499 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:18.321068 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:19.232130 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:19.321433 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:19.752479 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:20.362385 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:20.822668 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:21.362244 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:22.302164 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:22.319419 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:23.363545 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:23.892499 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:24.361719 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:24.979953 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:27.812011 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:28.042276 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:28.421930 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:29.011162 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:29.011251 (authentic,confidential): SPI 0x0aca0fdf: 
192.168.2.232.1701 > 24.114.54.8.65247: 
l2tp:[LS](2/340)Ns=44,Nr=0[hdlc|][|l2tp]
12:42:29.502297 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:29.620676 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:29.623389 (authentic,confidential): SPI 0xc4ae1209: 
24.114.54.8.65247 > 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]



$ sudo tcpdump -ni pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG

<Nothing as a result of traffic>


Thanks for your help Stefan,
Gord.























					Reply via email to