IPSEC & PF - Please help
fwun at bigpond.net.au
fwun at bigpond.net.au
Mon Oct 2 16:36:17 PDT 2006
Hi,
I am having trouble in setting up IPSEC with a remote office. I desperately need help to sort out the problem.
Here is the description of this little network:
My Office (with Cable Internet, sis0 is the public interface):
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::20d:b9ff:fe03:e22c%sis0 prefixlen 64 scopeid 0x1
inet 60.225.5.1 netmask 0xfffffc00 broadcast 255.255.255.255
ether 00:0d:b9:03:e2:2c
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::20d:b9ff:fe03:e22d%sis1 prefixlen 64 scopeid 0x2
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
inet 10.1.10.1 netmask 0xff000000 broadcast 10.255.255.255
ether 00:0d:b9:03:e2:2d
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
inet 10.1.1.1 netmask 0xffffff00
pflog0: flags=41<UP,RUNNING> mtu 33208
pfsync0: flags=41<UP,RUNNING> mtu 2020
gif102: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 60.225.5.1 --> 203.33.16.32
inet 10.1.1.1 --> 10.1.1.100 netmask 0xffffff00
inet6 fe80::20d:b9ff:fe03:e22c%gif102 prefixlen 64 scopeid 0x7
Ric's Office (with ADSL boardband):
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::20d:b9ff:fe03:eb40%sis0 prefixlen 64 scopeid 0x1
ether 00:0d:b9:03:eb:40
media: Ethernet autoselect (10baseT/UTP)
status: active
sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::20d:b9ff:fe03:eb41%sis1 prefixlen 64 scopeid 0x2
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet 10.1.100.1 netmask 0xffffff00 broadcast 10.1.100.255
ether 00:0d:b9:03:eb:41
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
inet 10.1.1.100 netmask 0xffffff00
pflog0: flags=41<UP,RUNNING> mtu 33208
pfsync0: flags=41<UP,RUNNING> mtu 2020
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 203.33.16.32 --> 203.17.1.1 netmask 0xffffffff
Opened by PID 362
#Script for establish IPSEC at My Office:
/sbin/ifconfig lo0 inet 10.1.1.1/24 alias
setkey -FP
setkey -F
# Tunnel to Ric office
/sbin/ifconfig gif102 destroy
/sbin/ifconfig gif102 create
/sbin/ifconfig gif102 tunnel 60.225.5.1 203.33.16.32
/sbin/ifconfig gif102 inet 10.1.1.1 10.1.1.100 netmask 255.255.255.0
/sbin/route delete 10.1.100.1/24
/sbin/route delete 172.17.100.0/24
/sbin/route add 10.1.100.1/24 10.1.1.100
/sbin/route add 172.17.100.0/24 10.1.1.100
setkey -c << EOF
Firewall rule at My (SAm)'s office:
# pfctl -sr
pass in on sis1 inet proto tcp from any to 127.0.0.1 port = 3128 keep state
pass out on sis0 inet proto tcp from any to any port = http keep state
block drop in log all
block drop in log quick on sis0 inet proto udp from any to 255.255.255.255
block drop in log quick on sis1 inet proto udp from any to 255.255.255.255
pass in on lo0 all
pass out quick on sis0 all keep state
pass out quick on sis1 all keep state
pass in on sis1 all keep state
pass out on sis0 proto tcp all flags S/SA keep state
pass out on sis1 proto tcp all flags S/SA keep state
pass in on sis0 proto tcp from any to any port = ssh flags S/SA keep state
pass in on sis0 proto tcp from any to any port = http flags S/SA keep state
pass in on sis0 proto udp from any to any port = commplex-main keep state
pass in quick on ath0 all keep state
pass in quick on sis0 inet proto esp from 60.225.5.1 to 203.33.16.32
pass out quick on sis0 inet proto esp from 203.33.16.32 to 60.225.5.1
pass in quick proto ipencap all
pass in quick inet from 10.1.100.0/24 to 10.1.1.0/24
pass out quick inet from 10.1.1.0/24 to 10.1.100.0/24
pass in quick inet from 10.1.1.0/24 to any
pass in quick on sis0 inet proto udp from 60.225.54.190 to 203.33.163.232 port = isakmp
pass out quick on sis0 inet proto udp from 203.33.163.232 to 60.225.54.190 port = isakmp
pass quick on gif102 all
Nework routing table at My (SAm)'s office:
# netstat -rn | less
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 60.225.5.111 UGS 0 55131 sis0
10 link#2 UC 0 1 sis1
10.1.1.1 10.1.1.1 UH 0 0 lo0
10.1.100/24 10.1.1.100 UGS 0 7 gif102
60.225.5/22 link#1 UC 0 0 sis0
60.225.5.111 00:0f:35:45:78:70 UHLW 2 0 sis0 1200
127.0.0.1 127.0.0.1 UH 0 541 lo0
172.17.4/24 link#3 UC 0 0 ath0
172.17.100/24 10.1.1.100 UGS 0 0 gif102
192.168.0 link#2 UC 0 0 sis1
# Tunnel to Ric office
spdadd 10.1.1.1 10.1.1.100 any -P out ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ;
spdadd 10.1.1.100 10.1.1.1 any -P in ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ;
add 10.1.1.1 10.1.1.100 esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ;
add 10.1.1.100 10.1.1.1 esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;
#Script for establish IPSEC at Ric's office:
/sbin/ifconfig lo0 inet 10.1.1.100/24 alias
setkey -FP
setkey -F
# Tunnel to Sam Office
/sbin/ifconfig gif102 destroy
/sbin/ifconfig gif102 create
/sbin/ifconfig gif102 tunnel 203.33.16.32 60.225.5.1
/sbin/ifconfig gif102 inet 10.1.1.100 10.1.1.1 netmask 255.255.255.0
/sbin/route delete 10.1.1.1/24
/sbin/route delete 172.17.4.0/24
/sbin/route add 10.1.1.1/24 10.1.1.1
/sbin/route add 172.17.4.0/24 10.1.1.1
setkey -c << EOF
# Tunnel to Sam office
spdadd 10.1.1.100 10.1.1.1 any -P out ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ;
spdadd 10.1.1.1 10.1.1.100 any -P in ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ;
add 10.1.1.100 10.1.1.1 esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ;
add 10.1.1.1 10.1.1.100 esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;
EOF
Firewall rule at Ric's office:
# pfctl -sr
pass in on sis1 inet proto tcp from any to 127.0.0.1 port = 3128 keep state
pass out on tun0 inet proto tcp from any to any port = http keep state
block drop in log all
block drop in log quick on tun0 inet proto udp from any to 255.255.255.255
block drop in log quick on sis1 inet proto udp from any to 255.255.255.255
pass in on lo0 all
pass out quick on tun0 all keep state
pass out quick on sis1 all keep state
pass in on sis1 all keep state
pass out on tun0 proto tcp all flags S/SA keep state
pass out on sis1 proto tcp all flags S/SA keep state
pass in on tun0 proto tcp from any to any port = ssh flags S/SA keep state
pass in on tun0 proto tcp from any to any port = http flags S/SA keep state
pass in on tun0 proto udp from any to any port = commplex-main keep state
pass in quick on ath0 all keep state
pass in quick on tun0 inet proto esp from 203.33.163.232 to 60.225.54.190
pass out quick on tun0 inet proto esp from 60.225.54.190 to 203.33.163.232
pass in quick proto ipencap all
pass in quick inet from 10.1.1.0/24 to 10.1.100.0/24
pass in quick inet from 10.1.1.0/24 to 10.1.1.0/24
pass out quick inet from 10.1.100.0/24 to 10.1.1.0/24
pass out quick inet from 10.1.100.0/24 to 10.1.100.0/24
pass in quick on tun0 inet proto udp from 203.33.16.32 to 60.225.5.1 port = isakmp
pass out quick on tun0 inet proto udp from 60.225.5.1 to 203.33.16.32 port = isakmp
pass quick on gif102 all
Network routing table at Ric's office:
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 203.17.101.81 UGS 0 2005455 tun0
10.1.1/24 10.1.1.1 UGS 0 0 gif102
10.1.1.1 10.1.1.100 UH 972 1015 gif102
10.1.1.100 10.1.1.100 UH 0 16 lo0
10.1.100/24 link#2 UC 0 0 sis1
10.1.100.1 00:0d:b9:03:eb:41 UHLW 1 10 lo0
127.0.0.1 127.0.0.1 UH 0 3335 lo0
172.17.4/24 10.1.1.1 UGS 0 586 gif102
192.168.0 link#2 UC 0 1 sis1
192.168.0.198 00:0d:60:ff:b7:1f UHLW 1 1141717 sis1 818
192.168.0.200 00:14:22:fd:cc:8f UHLW 1 9945 sis1
203.17.10.8 203.33.16.32 UH 1 0 tun0
The problem is My (Sam) office can ping 10.1.100.1 at Ric's office, but I still can't ping his other IP 10.1.1.100 (assigned to his loopback lo interfaice).
Ric's office can't ping me (Sam) 10.1.1.1 or 10.1.10.1 at all. Tcpdump shown that the PF firewall blocked the incoming packet from 10.1.1/24, then I make a "pass" rule to let it thru. But Ric still can't ping 10.1.1.1 and 10.1.10.1
And I read the following article from PF mailing, it might be the issue in PF.
Can anyone please shed some lights to me? I desperately want to get this working.
Thanks
S
More information about the freebsd-net
mailing list