IPSEC VPN - PACKET FILTER - BSD

This is a discussion on IPSEC VPN - PACKET FILTER - BSD ; Hie all, I'm running a freebsd7 box and i have some troubles in setting up a vpn with ipsec. informations: my extern ip: 82.236.103.1 my intern ip: 192.168.200.254 my gif0 interface: gif0: flags=8051 metric 0 mtu 1280 tunnel inet 82.236.103.1 ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: IPSEC VPN - PACKET FILTER

  1. IPSEC VPN - PACKET FILTER

    Hie all,

    I'm running a freebsd7 box and i have some troubles in setting up a vpn
    with ipsec.

    informations:
    my extern ip: 82.236.103.1
    my intern ip: 192.168.200.254
    my gif0 interface:

    gif0: flags=8051 metric 0 mtu 1280
    tunnel inet 82.236.103.1 --> 82.229.223.240
    inet 192.168.200.254 --> 192.168.100.254 netmask 0xffffffff



    remote extern ip: 82.229.223.240
    remote intern ip: 192.168.100.254


    first, here are my routes:

    # netstat -rn
    Destination Gateway Flags Refs Use Netif
    default 82.236.103.254 UGS 0 28622 rl0
    82.236.103.0/24 link#2 UC 0 0 rl0
    [...]
    192.168.100.0/24 192.168.100.254 UGS 0 0 gif0
    192.168.100.254 192.168.200.254 UH 1 2462 gif0
    192.168.200.0/24 link#1 UC 0 0 re0
    [...]




    second, here are my conf files:

    setket.conf:
    ################################################## ###########3
    flush;
    spdflush;

    spdadd 192.168.100.0/24 192.168.200.0/24 any -P in ipsec
    esp/tunnel/82.229.223.240-82.236.103.1/require ;



    spdadd 192.168.200.0/24 192.168.100.0/24 any -P out ipsec
    esp/tunnel/82.236.103.1-82.229.223.240/require ;
    ################################################## ##########


    racoon.conf
    ( need i a "padding" block??????)

    ################################################## ###########

    path certificate "/usr/local/etc/racoon/ssl/" ;
    log debug;

    listen
    {
    isakmp 82.236.103.1[500];
    }

    timer
    {

    phase1 40 sec;
    phase2 35 sec;
    }



    remote 82.229.223.240 {
    exchange_mode main;
    my_identifier asn1dn;
    peers_identifier asn1dn;
    verify_identifier on;
    certificate_type x509 "ipsec.crt"
    "private.key";
    peers_certfile x509 "ipsec.crt";
    lifetime time 10 min;

    proposal {

    dh_group 5;
    }
    }

    sainfo address 192.168.200.0/24 any address 192.168.100.0/24 any
    {
    pfs_group 5;
    lifetime time 2 min;
    encryption_algorithm aes;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    }

    ################################################## ###################################

    pf.conf (concerning vpn)

    ext_if = external interface
    int_if = internal interface
    vpn_if = gif0

    vpn_dest = remote hosts (in this case 82.229.223.240)

    ################################################## ###############################
    pass in quick on $vpn_if proto {tcp, udp} from $vpn_dest to
    $int_if:network port 500
    pass in quick on $vpn_if proto esp from $vpn_dest to $int_if:network
    pass in quick on $vpn_if proto ah from $vpn_dest to $int_if:network

    pass out quick on $vpn_if proto icmp from $int_if:network to $vpn_dest
    pass out quick on $vpn_if proto {esp, ah} from $int_if:network to $vpn_dest
    ################################################## ##################################

    i run racoon this way to have debug:
    racoon -F -d -f /path/to/conf/file



    when i do a ping to 192.168.100.254 (internal remote host)

    i and the remote admin, can see that the vpn has been established:

    2008-05-21 20:38:46: INFO: IPsec-SA established: ESP/Tunnel
    82.236.103.1[0]->82.229.223.240[0] spi=.......
    2008-05-21 20:38:46: DEBUG: ===

    so it's ok for the vpn

    but the ping fails, i have no answers:

    PING 192.168.100.254 (192.168.100.254): 56 data bytes
    ^C
    --- 192.168.100.254 ping statistics ---
    117 packets transmitted, 0 packets received, 100.0% packet loss


    ---------------------------------------------------------------------------------

    i'm 99% sure that it's rules in my pf.conf but i can't see it.

    can someone help me?



    ps:excuse my bad english


    --
    Mike

  2. Re: IPSEC VPN - PACKET FILTER

    Mike wrote:
    > Hie all,
    >
    > I'm running a freebsd7 box and i have some troubles in setting up a vpn
    > with ipsec.
    >
    > informations:
    > my extern ip: 82.236.103.1
    > my intern ip: 192.168.200.254
    > my gif0 interface:
    >
    > gif0: flags=8051 metric 0 mtu 1280
    > tunnel inet 82.236.103.1 --> 82.229.223.240
    > inet 192.168.200.254 --> 192.168.100.254 netmask 0xffffffff
    >
    >
    >
    > remote extern ip: 82.229.223.240
    > remote intern ip: 192.168.100.254
    >
    >
    > first, here are my routes:
    >
    > # netstat -rn
    > Destination Gateway Flags Refs Use Netif
    > default 82.236.103.254 UGS 0 28622 rl0
    > 82.236.103.0/24 link#2 UC 0 0 rl0
    > [...]
    > 192.168.100.0/24 192.168.100.254 UGS 0 0 gif0
    > 192.168.100.254 192.168.200.254 UH 1 2462 gif0
    > 192.168.200.0/24 link#1 UC 0 0 re0
    > [...]
    >
    >
    >
    >
    > second, here are my conf files:
    >
    > setket.conf:
    > ################################################## ###########3
    > flush;
    > spdflush;
    >
    > spdadd 192.168.100.0/24 192.168.200.0/24 any -P in ipsec
    > esp/tunnel/82.229.223.240-82.236.103.1/require ;
    >
    >
    >
    > spdadd 192.168.200.0/24 192.168.100.0/24 any -P out ipsec
    > esp/tunnel/82.236.103.1-82.229.223.240/require ;
    > ################################################## ##########
    >
    >
    > racoon.conf
    > ( need i a "padding" block??????)
    >
    > ################################################## ###########
    >
    > path certificate "/usr/local/etc/racoon/ssl/" ;
    > log debug;
    >
    > listen
    > {
    > isakmp 82.236.103.1[500];
    > }
    >
    > timer
    > {
    >
    > phase1 40 sec;
    > phase2 35 sec;
    > }
    >
    >
    >
    > remote 82.229.223.240 {
    > exchange_mode main;
    > my_identifier asn1dn;
    > peers_identifier asn1dn;
    > verify_identifier on;
    > certificate_type x509 "ipsec.crt"
    > "private.key";
    > peers_certfile x509 "ipsec.crt";
    > lifetime time 10 min;
    >
    > proposal {
    >
    > dh_group 5;
    > }
    > }
    >
    > sainfo address 192.168.200.0/24 any address 192.168.100.0/24 any
    > {
    > pfs_group 5;
    > lifetime time 2 min;
    > encryption_algorithm aes;
    > authentication_algorithm hmac_sha1;
    > compression_algorithm deflate;
    > }
    >
    > ################################################## ###################################
    >
    >
    > pf.conf (concerning vpn)
    >
    > ext_if = external interface
    > int_if = internal interface
    > vpn_if = gif0
    >
    > vpn_dest = remote hosts (in this case 82.229.223.240)
    >
    > ################################################## ###############################
    >
    > pass in quick on $vpn_if proto {tcp, udp} from $vpn_dest to
    > $int_if:network port 500
    > pass in quick on $vpn_if proto esp from $vpn_dest to $int_if:network


    When I was doing the same IPsec (in a old config not running anymore but
    I have still the rules in my pf.conf), my rules were with ext_if.

    Strange enough it seems to be established in your case with rules on the
    gif interface.

    > pass in quick on $vpn_if proto ah from $vpn_dest to $int_if:network
    >
    > pass out quick on $vpn_if proto icmp from $int_if:network to $vpn_dest


    Try after replacing vpn_dest with 192.168.100.0/24 and don't constrain
    on vpn_if.

    Henri

    > pass out quick on $vpn_if proto {esp, ah} from $int_if:network to $vpn_dest
    > ################################################## ##################################
    >
    >
    > i run racoon this way to have debug:
    > racoon -F -d -f /path/to/conf/file
    >
    >
    >
    > when i do a ping to 192.168.100.254 (internal remote host)
    >
    > i and the remote admin, can see that the vpn has been established:
    >
    > 2008-05-21 20:38:46: INFO: IPsec-SA established: ESP/Tunnel
    > 82.236.103.1[0]->82.229.223.240[0] spi=.......
    > 2008-05-21 20:38:46: DEBUG: ===
    >
    > so it's ok for the vpn
    >
    > but the ping fails, i have no answers:
    >
    > PING 192.168.100.254 (192.168.100.254): 56 data bytes
    > ^C
    > --- 192.168.100.254 ping statistics ---
    > 117 packets transmitted, 0 packets received, 100.0% packet loss
    >
    >
    > ---------------------------------------------------------------------------------
    >
    >
    > i'm 99% sure that it's rules in my pf.conf but i can't see it.
    >
    > can someone help me?
    >
    >
    >
    > ps:excuse my bad english


    Me too ;-)
    >
    >


+ Reply to Thread