IPSec tunneling problem

Toomas Aas toomas.aas at raad.tartu.ee
Thu Mar 29 13:10:57 UTC 2007 

Hello!

We have a central office which is separated from the Internet with firewall 
running Linux 2.4 and FreeSWAN. I'm trying to create an IPSec tunnel to the 
central office from another small branch office, using FreeBSD 6.2 with 
it's integrated IPSec and ipsec-tools. The tunneling is generally working, 
both internal networks can see each other, but I'm having some problems 
with traffic originating from the FreeBSD firewall itself.

The central office has internal network 192.168.1.0/24 and firewall's 
external IP is, let's say, A.B.C.D. The branch office has internal network 
192.168.5.0/24 and firewall's external IP is W.X.Y.Z.

The policies in /etc/ipsec.conf are as follows.

spdadd 192.168.5.0/24 192.168.1.0/24 any -P out ipsec \
	esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd 192.168.1.0/24 192.168.5.0/24 any -P in ipsec \
	esp/tunnel/A.B.C.D-W.X.Y.Z/require;

The traffic between hosts in 192.168.1.0/24 and 192.168.5.0/24 is being 
correctly tunnelled, i.e. when I watch the traffic on firewall's external 
interface with tcpdump, I can see only ESP traffic between A.B.C.D and 
W.X.Y.Z, and the internal IPs don't appear anywhere.

I can even successfully initiate *some* tunnelled traffic from the firewall 
machine itself, for example
ping -S 192.168.5.1 192.168.1.3
works correctly, as does
telnet -s 192.168.5.1 192.168.1.3 53

However, the main reason why I want to have internal traffic originating 
from the firewall host itself is that I'd like to run an internal DNS 
server with slave zones for my internal network (*.in-addr.arpa) so all the 
DNS traffic wouldn't go through the VPN. The master for these zones is 
192.168.1.3. I've configured named.conf with following

options
{
	...
	listen-on { 127.0.0.1; 192.168.5.1; };
	query source address 192.168.5.1;
	forwarders {
		192.168.1.3;
	};
	...
};
...

zone "1.168.192.in-addr.arpa" {
         type slave;
         file "slave/1.168.192.in-addr.arpa";
         masters { 192.168.1.3; };
};
...

However, when I start named and watch the traffic on firewall's external 
interface with tcpdump, I can see actual packets between 192.168.5.1 and 
192.168.1.3.

What is the difference between this DNS traffic and things like telnet -s, 
which causes the DNS traffic to not be tunneled?

-- 
Toomas Aas

More information about the freebsd-net mailing list