Multiple Gateway IPSEC Problem

Company 2210 company2210 at hotmail.com
Wed Aug 27 11:06:13 PDT 2003 

Hi all,
    I have a really really really annoying problem that I'm trying to
rectifiy. I have three gateways, and two ipsec (esp encrypted) links, one of
which fowards traffic to the internet. I was provided half a class C (/25)
which I have split into 4 subnets of 32 addresses (30 usable).
I am currently trying to employ only two of the 4 available subnets. The
layout is like so:

BoxA <=======> BoxB <==========> BoxC <-------> Cisco Router  <---->
Internet

<===> Denotes IPSEC VPN Link
<----> Denotes standard ethernet non-encrypted link

BoxA: VPN Interface (to BoxB) - 10.0.2.2
           Gateway Interface (Public): 91.18.78.33 (91.18.78.32/27 Network)

BoxB: VPN Interface (to BoxA) - 10.0.2.1
           VPN Interface (to BoxC) - 10.0.0.1
            Gateway Interface (Public): 91.18.78.1 (91.18.78.0/27 Network)

BoxC: VPN Interface (to BoxB) - 10.0.0.2
          Gateway Interface (Private - to Cisco Router): 10.0.1.1

Cisco Router: Gateway Interface (Private to BoxC): 10.0.1.2
                      Gateway Interface (Public - to World): 91.17.66.69
(91.18.66.68/30 Network)


Traffic from BoxA is is supposed to head to Box B, then out to Box C which
is
conected to a cisco router that routes out to the internet, this works.
However, any traffic from Box A to Box
B fails to appear, and vice versa. This means that clients locally connected
to BoxA
can connect to the internet, but not ping/talk to any clients of BoxB and
vice
versa. To elaborate, any ping attempts from a host using 91.18.78.33 as a
gateway to any host using 91.18.78.1 as a gateway
result it "TTL exceeded" errors. However, any host using 91.18.78.1 as a
gateway, and pinging any host using 91.18.78.33 as a gateway gets a 'ping
timeout' error.
 I'm sure this is a problem with the setkey rules, but I cannot see
what it is. I've included my current ruleset (with comments - for each box).

BoxA Setkey Rules:
---------------------

#delete all existing entries from the SAD and SPD databases (setkey -FP
& -F)
flush;
spdflush;

#add the policy to the SPD database

# Allow pings amongst local clients

spdadd 91.18.78.32/27 91.18.78.32/27 any -P out none;
spdadd 91.18.78.32/27 91.18.78.32/27 any -P in none;

# Encrypt and direct traffic to 91.18.78.0/27 network

spdadd 91.18.78.32/27 91.18.78.0/27 any -P out ipsec
esp/tunnel/10.0.2.2-10.0.2.1/require;
spdadd 91.18.78.0/27 91.18.78.32/27 any -P in ipsec
esp/tunnel/10.0.2.1-10.0.2.2/require;

# Encrypt and direct all other traffic (i.e. internet traffic)

spdadd 91.18.78.32/27 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.2.2-10.0.2.1/require;
spdadd 0.0.0.0/0 91.18.78.32/27 any -P in ipsec
esp/tunnel/10.0.2.1-10.0.2.2/require;


BoxB Setkey Rules:
----------------------

# Flush all rules
# ----------------

flush;
spdflush;

# Policys for SPD Database
# -------------------------

# 1 - Local Subnet Traffic: Not Encrypted
# ----------------------------------------

spdadd 91.18.78.0/27 91.18.78.0/27 any -P out none;
spdadd 91.18.78.0/27 91.18.78.0/27 any -P in none;

# 2 - Direct flow of traffic between local networks
# --------------------------------------------------------------------------
---------------------------------

spdadd 91.18.78.0/27 91.18.78.32/27 any -P out ipsec
esp/tunnel/10.0.2.1-10.0.2.2/require;
spdadd 91.18.78.32/27 91.18.78.0/27 any -P in ipsec
esp/tunnel/10.0.2.2-10.0.2.1/require;

# 3 - Other Traffic (i.e. internet) for BoxA or it's clients must be
directed through BoxA <====> BoxB tunnel.
# --------------------------------------------------------------------------
------------------------------------------------

spdadd 0.0.0.0/0 91.18.78.32/27 any -P out ipsec
esp/tunnel/10.0.2.1-10.0.2.2/require;
spdadd 91.18.78.32/27 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.2.2-10.0.2.1/require;

# 4 - All other traffic (i.e. internet) across entire class C/25 network
Encrypted & Sent to BoxC
# ---------------------------------------------------------------

spdadd 91.18.78.0/25 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require;
spdadd 0.0.0.0/0 91.18.78.0/25 any -P in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require;

BoxC Setkey Rules
---------------------

# Delete all existing entries from the SAD and SPD databases
# -----------------------------------------------------------

flush;
spdflush;

# Add policys to the SPD database
# --------------------------------

# 1 - /25 Network Traffic <-> Internet: Encrypt / Decrypt & Send on it's
wicked way.
# --------------------------------------------------------------------------
--------

spdadd 0.0.0.0/0 91.18.78.0/25 any -P out ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require;
spdadd 91.18.78.0/25 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require;



Well, there we have it. I am sure ipsec is having issues with 0.0.0.0/0
(which is required for directing internet traffic) but I am unable to
resolve these. Any advice & / or help would be greatly appericated.

Kind Regards

Colin Watson.

More information about the freebsd-net mailing list