Ipsec with SA established, but NO traffic
Jan Koukal
Jan.Koukal at fs.cvut.cz
Wed Oct 3 10:43:28 CEST 2007
Dobrý den,
Předem se omlouvám se,že publikuji tento mail v angličtině,ale tento problém
řeším i v jiné konferenci,takže pokud vám to nebude vadit překládat,zkuste
mi prosím odpovědět pokud budete znát odpověď nebo mít nějaký nápad na co se
mrknout.
Děkuji
Jan Koukal
_______________________________________
Hello,
I have some strange problem with IpSec. Because,I'm not IpSec guru if you
need more information write me.
I have IpCop Linux firewall distribution(pluto,iptables) in head office
which is terminating 2 VPN.
First from Pfsence,Freebsd firewall distribution(racoon,Pf) and second from
debian(racoon).
This configuration worked well,but on monday without known change and no
reboot, traffic is not passing through tunnel. But SA is established and
tunnel is UP. I try reboots on all endpoints without success passing traffic
through. I didn't make firewall filter changes.
I try tcpdump on both endpoints.On IpCop is see that my ICMP packets go
through ipsec0 interface,but on Pfsence I see in tcpdump on external
interface "Destination host unreachable 50"
I think problem will be in PfSense side because second VPN work still well.
There's is my configuration:
Pfsence
____________________________________________________________________
#Ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:fcff:fea0:20ec%rl0 prefixlen 64 scopeid 0x1
ether 00:50:fc:a0:20:ec
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet 147.20.148.94 netmask 0xfffffffc broadcast 147.20.148.95
inet6 fe80::202:b3ff:fe5b:dbb%fxp0 prefixlen 64 scopeid 0x2
ether 00:02:b3:5b:0d:bb
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
pfsync0: flags=41<UP,RUNNING> mtu 2020
pfsync: syncdev: lo0 maxupd: 128
pflog0: flags=100<PROMISC> mtu 33208
racoon.conf
-----------------------------------------------------------------
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 88.200.30.145 {
exchange_mode main;
my_identifier address "147.20.148.94";
peers_identifier address 88.200.30.145;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28000 secs;
}
lifetime time 28000 secs;
}
sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
pfs_group 2;
lifetime time 28000 secs;
}
spd.conf
-----------------------------------------------
spdadd 192.168.1.0/24 192.168.1.1/32 any -P in none;
spdadd 192.168.1.1/32 192.168.1.0/24 any -P out none;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec
esp/tunnel/147.20.148.94-88.200.30.145/unique;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/88.200.30.145-147.20.148.94/unique;
------------------------------------------------
#Netstat -sn
fastipsec:
0 inbound packets violated process security policy
0 outbound packets violated process security policy
2 outbound packets with no SA available
0 outbound packets failed due to insufficient memory
0 outbound packets with no route available
0 invalid outbound packets
0 outbound packets with bundled SAs
0 mbufs coalesced during clone
0 clusters coalesced during clone
0 clusters copied during clone
439 mbufs inserted during makespace
ah:
0 packets shorter than header shows
0 packets dropped; protocol family not supported
0 packets dropped; no TDB
0 packets dropped; bad KCR
0 packets dropped; queue full
0 packets dropped; no transform
0 replay counter wraps
0 packets dropped; bad authentication detected
0 packets dropped; bad authentication length
0 possible replay packets detected
0 packets in
0 packets out
0 packets dropped; invalid TDB
0 bytes in
0 bytes out
0 packets dropped; larger than IP_MAXPACKET
0 packets blocked due to policy
0 crypto processing failures
0 tunnel sanity check failures
AH output histogram:
hmac-md5: 1615
esp:
0 packets shorter than header shows
0 packets dropped; protocol family not supported
0 packets dropped; no TDB
0 packets dropped; bad KCR
0 packets dropped; queue full
0 packets dropped; no transform
0 packets dropped; bad ilen
0 replay counter wraps
0 packets dropped; bad encryption detected
0 packets dropped; bad authentication detected
0 possible replay packets detected
0 packets in
1615 packets out
0 packets dropped; invalid TDB
0 bytes in
93926 bytes out
0 packets dropped; larger than IP_MAXPACKET
0 packets blocked due to policy
0 crypto processing failures
0 tunnel sanity check failures
ESP output histogram:
3des-cbc: 1615
# setkey -D
147.20.148.94 88.200.30.145
esp mode=tunnel spi=244918196(0x0e9927b4) reqid=16389(0x00004005)
E: 3des-cbc 74b233f5 be320ffb 5262340e 7232917b 0b05bace 2368b3e1
A: hmac-md5 6ea864f2 90d31618 39dd48de 89c95bf0
seq=0x00000088 replay=4 flags=0x00000000 state=mature
created: Oct 3 09:56:29 2007 current: Oct 3 10:11:38 2007
diff: 909(s) hard: 28000(s) soft: 22400(s)
last: Oct 3 10:11:37 2007 hard: 0(s) soft: 0(s)
current: 14648(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 136 hard: 0 soft: 0
sadb_seq=1 pid=43956 refcnt=2
88.200.30.145 147.20.148.94
esp mode=tunnel spi=51441993(0x0310f149) reqid=16390(0x00004006)
E: 3des-cbc 4c4746d4 c9ba287a 9630340b 500ba432 fc6599af 66778117
A: hmac-md5 a715036a d0dca9ad ccd2e914 fd695b4a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Oct 3 09:56:29 2007 current: Oct 3 10:11:38 2007
diff: 909(s) hard: 28000(s) soft: 22400(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=43956 refcnt=1
# setkey -DP
192.168.1.0/24[any] 192.168.1.1[any] any
in none
spid=9 seq=3 pid=44004
refcnt=1
192.168.0.0/24[any] 192.168.1.0/24[any] any
in ipsec
esp/tunnel/88.200.30.145-147.20.148.94/unique#16390
spid=12 seq=2 pid=44004
refcnt=1
192.168.1.1[any] 192.168.1.0/24[any] any
out none
spid=10 seq=1 pid=44004
refcnt=1
192.168.1.0/24[any] 192.168.0.0/24[any] any
out ipsec
esp/tunnel/147.20.148.94-88.200.30.145/unique#16389
spid=11 seq=0 pid=44004
refcnt=1
Tcpdump on external interface on command, ping -S 192.168.1.1 192.168.0.1
10:13:21.140393 IP 147.20.148.94 > 88.200.30.145:
ESP(spi=0x0e9927b4,seq=0x98), length 116
10:13:21.151791 IP 88.200.30.145 > 147.20.148.94: ICMP 88.200.30.145
protocol 50 unreachable, length 144
More information about the Users-l
mailing list