Ipsec with SA established, but NO traffic

Jan Koukal Jan.Koukal at fs.cvut.cz
Wed Oct 3 10:43:28 CEST 2007 

Dobrý den,
Předem se omlouvám se,že publikuji tento mail v angličtině,ale tento problém
řeším i v jiné konferenci,takže pokud vám to nebude vadit překládat,zkuste
mi prosím odpovědět pokud budete znát odpověď nebo mít nějaký nápad na co se
mrknout.

Děkuji

	Jan Koukal

_______________________________________


Hello,
I have some strange problem with IpSec. Because,I'm not IpSec guru if you
need more information write me.

I have IpCop Linux firewall distribution(pluto,iptables) in head office
which is terminating 2 VPN.
First from Pfsence,Freebsd firewall distribution(racoon,Pf) and second from
debian(racoon).

This configuration worked well,but on monday without known change and no
reboot, traffic is not passing through tunnel. But SA is established and
tunnel is UP. I try reboots on all endpoints without success passing traffic
through. I didn't make firewall filter changes.

I try tcpdump on both endpoints.On IpCop is see that my ICMP packets go
through ipsec0 interface,but on Pfsence I see in tcpdump on external
interface "Destination host unreachable 50"

I think problem will be in PfSense side because second VPN work still well.

There's is my configuration:

Pfsence
____________________________________________________________________

#Ifconfig

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::250:fcff:fea0:20ec%rl0 prefixlen 64 scopeid 0x1
        ether 00:50:fc:a0:20:ec
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        inet 147.20.148.94 netmask 0xfffffffc broadcast 147.20.148.95
        inet6 fe80::202:b3ff:fe5b:dbb%fxp0 prefixlen 64 scopeid 0x2
        ether 00:02:b3:5b:0d:bb
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
pfsync0: flags=41<UP,RUNNING> mtu 2020
        pfsync: syncdev: lo0 maxupd: 128
pflog0: flags=100<PROMISC> mtu 33208


racoon.conf
-----------------------------------------------------------------

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 88.200.30.145 {
        exchange_mode main;
        my_identifier address "147.20.148.94";

        peers_identifier address 88.200.30.145;
        initial_contact on;
        support_proxy on;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
                lifetime time 28000 secs;
        }
        lifetime time 28000 secs;
}

sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
        pfs_group 2;
        lifetime time 28000 secs;
}


spd.conf
-----------------------------------------------
spdadd 192.168.1.0/24 192.168.1.1/32 any -P in none;
spdadd 192.168.1.1/32 192.168.1.0/24 any -P out none;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec
esp/tunnel/147.20.148.94-88.200.30.145/unique;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/88.200.30.145-147.20.148.94/unique;


------------------------------------------------


#Netstat -sn

fastipsec:
        0 inbound packets violated process security policy
        0 outbound packets violated process security policy
        2 outbound packets with no SA available
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route available
        0 invalid outbound packets
        0 outbound packets with bundled SAs
        0 mbufs coalesced during clone
        0 clusters coalesced during clone
        0 clusters copied during clone
        439 mbufs inserted during makespace
ah:
        0 packets shorter than header shows
        0 packets dropped; protocol family not supported
        0 packets dropped; no TDB
        0 packets dropped; bad KCR
        0 packets dropped; queue full
        0 packets dropped; no transform
        0 replay counter wraps
        0 packets dropped; bad authentication detected
        0 packets dropped; bad authentication length
        0 possible replay packets detected
        0 packets in
        0 packets out
        0 packets dropped; invalid TDB
        0 bytes in
        0 bytes out
        0 packets dropped; larger than IP_MAXPACKET
        0 packets blocked due to policy
        0 crypto processing failures
        0 tunnel sanity check failures
        AH output histogram:
                hmac-md5: 1615
esp:
        0 packets shorter than header shows
        0 packets dropped; protocol family not supported
        0 packets dropped; no TDB
        0 packets dropped; bad KCR
        0 packets dropped; queue full
        0 packets dropped; no transform
        0 packets dropped; bad ilen
        0 replay counter wraps
        0 packets dropped; bad encryption detected
        0 packets dropped; bad authentication detected
        0 possible replay packets detected
        0 packets in
        1615 packets out
        0 packets dropped; invalid TDB
        0 bytes in
        93926 bytes out
        0 packets dropped; larger than IP_MAXPACKET
        0 packets blocked due to policy
        0 crypto processing failures
        0 tunnel sanity check failures
        ESP output histogram:
                3des-cbc: 1615


# setkey -D
147.20.148.94 88.200.30.145
        esp mode=tunnel spi=244918196(0x0e9927b4) reqid=16389(0x00004005)
        E: 3des-cbc  74b233f5 be320ffb 5262340e 7232917b 0b05bace 2368b3e1
        A: hmac-md5  6ea864f2 90d31618 39dd48de 89c95bf0
        seq=0x00000088 replay=4 flags=0x00000000 state=mature
        created: Oct  3 09:56:29 2007   current: Oct  3 10:11:38 2007
        diff: 909(s)    hard: 28000(s)  soft: 22400(s)
        last: Oct  3 10:11:37 2007      hard: 0(s)      soft: 0(s)
        current: 14648(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 136  hard: 0 soft: 0
        sadb_seq=1 pid=43956 refcnt=2
88.200.30.145 147.20.148.94
        esp mode=tunnel spi=51441993(0x0310f149) reqid=16390(0x00004006)
        E: 3des-cbc  4c4746d4 c9ba287a 9630340b 500ba432 fc6599af 66778117
        A: hmac-md5  a715036a d0dca9ad ccd2e914 fd695b4a
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Oct  3 09:56:29 2007   current: Oct  3 10:11:38 2007
        diff: 909(s)    hard: 28000(s)  soft: 22400(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=43956 refcnt=1


# setkey -DP
192.168.1.0/24[any] 192.168.1.1[any] any
        in none
        spid=9 seq=3 pid=44004
        refcnt=1
192.168.0.0/24[any] 192.168.1.0/24[any] any
        in ipsec
        esp/tunnel/88.200.30.145-147.20.148.94/unique#16390
        spid=12 seq=2 pid=44004
        refcnt=1
192.168.1.1[any] 192.168.1.0/24[any] any
        out none
        spid=10 seq=1 pid=44004
        refcnt=1
192.168.1.0/24[any] 192.168.0.0/24[any] any
        out ipsec
        esp/tunnel/147.20.148.94-88.200.30.145/unique#16389
        spid=11 seq=0 pid=44004
        refcnt=1



Tcpdump on external interface on command, ping -S 192.168.1.1 192.168.0.1

10:13:21.140393 IP 147.20.148.94 > 88.200.30.145:
ESP(spi=0x0e9927b4,seq=0x98), length 116
10:13:21.151791 IP 88.200.30.145 > 147.20.148.94: ICMP 88.200.30.145
protocol 50 unreachable, length 144

More information about the Users-l mailing list