IPSEC & PF - Please help
fwun at bigpond.net.au
fwun at bigpond.net.au
Mon Oct 2 16:40:57 PDT 2006
Here is the article I read about patch for PF:
http://www.mail-archive.com/freebsd-pf@freebsd.org/msg01315.html
Where can I find an official release of this patch for freebsd 6.1?
the FreeBSD 6.1-stable I m using is dated in early August.
Thanks
S
---- fwun at bigpond.net.au wrote:
> Hi,
>
> I am having trouble in setting up IPSEC with a remote office. I desperately need help to sort out the problem.
> Here is the description of this little network:
>
> My Office (with Cable Internet, sis0 is the public interface):
> sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet6 fe80::20d:b9ff:fe03:e22c%sis0 prefixlen 64 scopeid 0x1
> inet 60.225.5.1 netmask 0xfffffc00 broadcast 255.255.255.255
> ether 00:0d:b9:03:e2:2c
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet6 fe80::20d:b9ff:fe03:e22d%sis1 prefixlen 64 scopeid 0x2
> inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
> inet 10.1.10.1 netmask 0xff000000 broadcast 10.255.255.255
> ether 00:0d:b9:03:e2:2d
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> inet 127.0.0.1 netmask 0xff000000
> inet 10.1.1.1 netmask 0xffffff00
> pflog0: flags=41<UP,RUNNING> mtu 33208
> pfsync0: flags=41<UP,RUNNING> mtu 2020
> gif102: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
> tunnel inet 60.225.5.1 --> 203.33.16.32
> inet 10.1.1.1 --> 10.1.1.100 netmask 0xffffff00
> inet6 fe80::20d:b9ff:fe03:e22c%gif102 prefixlen 64 scopeid 0x7
>
> Ric's Office (with ADSL boardband):
> sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet6 fe80::20d:b9ff:fe03:eb40%sis0 prefixlen 64 scopeid 0x1
> ether 00:0d:b9:03:eb:40
> media: Ethernet autoselect (10baseT/UTP)
> status: active
> sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet6 fe80::20d:b9ff:fe03:eb41%sis1 prefixlen 64 scopeid 0x2
> inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
> inet 10.1.100.1 netmask 0xffffff00 broadcast 10.1.100.255
> ether 00:0d:b9:03:eb:41
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> inet 127.0.0.1 netmask 0xff000000
> inet 10.1.1.100 netmask 0xffffff00
> pflog0: flags=41<UP,RUNNING> mtu 33208
> pfsync0: flags=41<UP,RUNNING> mtu 2020
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
> inet 203.33.16.32 --> 203.17.1.1 netmask 0xffffffff
> Opened by PID 362
>
> #Script for establish IPSEC at My Office:
> /sbin/ifconfig lo0 inet 10.1.1.1/24 alias
> setkey -FP
> setkey -F
>
> # Tunnel to Ric office
> /sbin/ifconfig gif102 destroy
> /sbin/ifconfig gif102 create
> /sbin/ifconfig gif102 tunnel 60.225.5.1 203.33.16.32
> /sbin/ifconfig gif102 inet 10.1.1.1 10.1.1.100 netmask 255.255.255.0
> /sbin/route delete 10.1.100.1/24
> /sbin/route delete 172.17.100.0/24
> /sbin/route add 10.1.100.1/24 10.1.1.100
> /sbin/route add 172.17.100.0/24 10.1.1.100
>
> setkey -c << EOF
>
> Firewall rule at My (SAm)'s office:
> # pfctl -sr
> pass in on sis1 inet proto tcp from any to 127.0.0.1 port = 3128 keep state
> pass out on sis0 inet proto tcp from any to any port = http keep state
> block drop in log all
> block drop in log quick on sis0 inet proto udp from any to 255.255.255.255
> block drop in log quick on sis1 inet proto udp from any to 255.255.255.255
> pass in on lo0 all
> pass out quick on sis0 all keep state
> pass out quick on sis1 all keep state
> pass in on sis1 all keep state
> pass out on sis0 proto tcp all flags S/SA keep state
> pass out on sis1 proto tcp all flags S/SA keep state
> pass in on sis0 proto tcp from any to any port = ssh flags S/SA keep state
> pass in on sis0 proto tcp from any to any port = http flags S/SA keep state
> pass in on sis0 proto udp from any to any port = commplex-main keep state
> pass in quick on ath0 all keep state
> pass in quick on sis0 inet proto esp from 60.225.5.1 to 203.33.16.32
> pass out quick on sis0 inet proto esp from 203.33.16.32 to 60.225.5.1
> pass in quick proto ipencap all
> pass in quick inet from 10.1.100.0/24 to 10.1.1.0/24
> pass out quick inet from 10.1.1.0/24 to 10.1.100.0/24
> pass in quick inet from 10.1.1.0/24 to any
> pass in quick on sis0 inet proto udp from 60.225.5.1 to 203.33.16.32 port = isakmp
> pass out quick on sis0 inet proto udp from 203.33.16.32 to 60.225.5.1 port = isakmp
> pass quick on gif102 all
>
> Nework routing table at My (SAm)'s office:
> # netstat -rn | less
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Netif Expire
> default 60.225.5.111 UGS 0 55131 sis0
> 10 link#2 UC 0 1 sis1
> 10.1.1.1 10.1.1.1 UH 0 0 lo0
> 10.1.100/24 10.1.1.100 UGS 0 7 gif102
> 60.225.5/22 link#1 UC 0 0 sis0
> 60.225.5.111 00:0f:35:45:78:70 UHLW 2 0 sis0 1200
> 127.0.0.1 127.0.0.1 UH 0 541 lo0
> 172.17.4/24 link#3 UC 0 0 ath0
> 172.17.100/24 10.1.1.100 UGS 0 0 gif102
> 192.168.0 link#2 UC 0 0 sis1
>
> # Tunnel to Ric office
> spdadd 10.1.1.1 10.1.1.100 any -P out ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ;
> spdadd 10.1.1.100 10.1.1.1 any -P in ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ;
> add 10.1.1.1 10.1.1.100 esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ;
> add 10.1.1.100 10.1.1.1 esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;
>
> #Script for establish IPSEC at Ric's office:
> /sbin/ifconfig lo0 inet 10.1.1.100/24 alias
> setkey -FP
> setkey -F
>
> # Tunnel to Sam Office
> /sbin/ifconfig gif102 destroy
> /sbin/ifconfig gif102 create
> /sbin/ifconfig gif102 tunnel 203.33.16.32 60.225.5.1
> /sbin/ifconfig gif102 inet 10.1.1.100 10.1.1.1 netmask 255.255.255.0
> /sbin/route delete 10.1.1.1/24
> /sbin/route delete 172.17.4.0/24
> /sbin/route add 10.1.1.1/24 10.1.1.1
> /sbin/route add 172.17.4.0/24 10.1.1.1
>
> setkey -c << EOF
>
> # Tunnel to Sam office
> spdadd 10.1.1.100 10.1.1.1 any -P out ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ;
> spdadd 10.1.1.1 10.1.1.100 any -P in ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ;
> add 10.1.1.100 10.1.1.1 esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ;
> add 10.1.1.1 10.1.1.100 esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;
>
>
> EOF
>
> Firewall rule at Ric's office:
> # pfctl -sr
> pass in on sis1 inet proto tcp from any to 127.0.0.1 port = 3128 keep state
> pass out on tun0 inet proto tcp from any to any port = http keep state
> block drop in log all
> block drop in log quick on tun0 inet proto udp from any to 255.255.255.255
> block drop in log quick on sis1 inet proto udp from any to 255.255.255.255
> pass in on lo0 all
> pass out quick on tun0 all keep state
> pass out quick on sis1 all keep state
> pass in on sis1 all keep state
> pass out on tun0 proto tcp all flags S/SA keep state
> pass out on sis1 proto tcp all flags S/SA keep state
> pass in on tun0 proto tcp from any to any port = ssh flags S/SA keep state
> pass in on tun0 proto tcp from any to any port = http flags S/SA keep state
> pass in on tun0 proto udp from any to any port = commplex-main keep state
> pass in quick on ath0 all keep state
> pass in quick on tun0 inet proto esp from 203.33.16.32 to 60.225.5.1
> pass out quick on tun0 inet proto esp from 60.225.5.1 to 203.33.16.32
> pass in quick proto ipencap all
> pass in quick inet from 10.1.1.0/24 to 10.1.100.0/24
> pass in quick inet from 10.1.1.0/24 to 10.1.1.0/24
> pass out quick inet from 10.1.100.0/24 to 10.1.1.0/24
> pass out quick inet from 10.1.100.0/24 to 10.1.100.0/24
> pass in quick on tun0 inet proto udp from 203.33.16.32 to 60.225.5.1 port = isakmp
> pass out quick on tun0 inet proto udp from 60.225.5.1 to 203.33.16.32 port = isakmp
> pass quick on gif102 all
>
> Network routing table at Ric's office:
> # netstat -rn
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Netif Expire
> default 203.17.101.81 UGS 0 2005455 tun0
> 10.1.1/24 10.1.1.1 UGS 0 0 gif102
> 10.1.1.1 10.1.1.100 UH 972 1015 gif102
> 10.1.1.100 10.1.1.100 UH 0 16 lo0
> 10.1.100/24 link#2 UC 0 0 sis1
> 10.1.100.1 00:0d:b9:03:eb:41 UHLW 1 10 lo0
> 127.0.0.1 127.0.0.1 UH 0 3335 lo0
> 172.17.4/24 10.1.1.1 UGS 0 586 gif102
> 192.168.0 link#2 UC 0 1 sis1
> 192.168.0.198 00:0d:60:ff:b7:1f UHLW 1 1141717 sis1 818
> 192.168.0.200 00:14:22:fd:cc:8f UHLW 1 9945 sis1
> 203.17.10.8 203.33.16.32 UH 1 0 tun0
>
> The problem is My (Sam) office can ping 10.1.100.1 at Ric's office, but I still can't ping his other IP 10.1.1.100 (assigned to his loopback lo interfaice).
> Ric's office can't ping me (Sam) 10.1.1.1 or 10.1.10.1 at all. Tcpdump shown that the PF firewall blocked the incoming packet from 10.1.1/24, then I make a "pass" rule to let it thru. But Ric still can't ping 10.1.1.1 and 10.1.10.1
>
> And I read the following article from PF mailing, it might be the issue in PF.
> Can anyone please shed some lights to me? I desperately want to get this working.
>
> Thanks
> S
More information about the freebsd-net
mailing list