13 messages in org.freebsd.freebsd-securityfreebsd vpn server behind nat dsl router| From | Sent On | Attachments |
|---|---|---|
| Robert Johannes | Mar 7, 2007 4:30 pm | |
| VANHULLEBUS Yvan | Mar 7, 2007 5:28 pm | |
| Robert Johannes | Mar 7, 2007 6:04 pm | |
| VANHULLEBUS Yvan | Mar 7, 2007 9:24 pm | |
| Tom Judge | Mar 7, 2007 9:55 pm | |
| Robert Johannes | Mar 7, 2007 11:14 pm | |
| Robert Johannes | Mar 7, 2007 11:22 pm | |
| Thomas Wahyudi | Mar 8, 2007 1:58 am | |
| Tom Judge | Mar 8, 2007 7:57 am | |
| Jeremie Le Hen | Mar 10, 2007 7:40 pm | |
| Robert Johannes | Mar 14, 2007 7:06 pm | |
| Tom Judge | Mar 15, 2007 2:28 am | |
| Robert Johannes | Mar 27, 2007 4:31 am |
| Subject: | freebsd vpn server behind nat dsl router | |
|---|---|---|
| From: | Tom Judge (to...@tomjudge.com) | |
| Date: | Mar 15, 2007 2:28:52 am | |
| List: | org.freebsd.freebsd-security | |
Robert Johannes wrote:
On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:
Ok, I have done quite a bit of work since my last email, but I still don't see visible progress. I did rebuild world and the kernel with the NAT-T patches/support that you recommended. I have been playing around with ipsec e.t.c.
I have created an esp tunnel between my two sites, and I am sending some ping traffic to the remote end, but the packets don't seem to get through. Here's a snippet of what I see on tcpdump:
14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \ length 64 (ipip-proto-4) 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \ length 64 (ipip-proto-4)
Firstly have you set your DSL routers up to nat the ipencap protocol back to your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP payload, so you will probably need a prity advanced router to do this). The packets you see here are not protected by IPSEC they are just plain old IPENCAP packets. If they where IPSEC packets I would expect to see ESP as the protocol and not see the encapsulated packet header (Again when you get IPSEC working you are going to need to NAT these packets to your freebsd boxes.)
From what I can tell, the kernel knows that it is to send the ping request
from 192.168.1.254 to 192.168.0.254 through the tunnel mouths 190.41.95.135 and 201.240.165.191. But, there's no request from the other end. Doing a tcpdump on the other side (192.168.0.254), nothing is coming in. I have also done a ping from the latter machine to the former, but with exactly the same problem. Nothing seems to get to the other end.
The tunnel is not using racoon yet. I figure that I should be able to see some traffic going back and forth before I use racoon to manage keys. The tunnel was created by the following lines on one host, and reversed on the other:
spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/190.41.95.135-201.240.151.15/require; spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/201.240.151.15-190.41.95.135/require;
If any one can shed some more light on this, I would appreciate it.
From what I can see your /etc/ipsec.conf should look like this:
spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec esp/tunnel/190.41.95.135-201.240.151.15/require; spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec esp/tunnel/201.240.151.15-190.41.95.135/require;
These rules may be wrong but your tunnel seems to be an IP protocol 4 payload which is ipencap (see /etc/protocols).
Hope this helps.
Tom