[Ipsec-tools-devel] [Q] pf nated packets missing ipsec tunnel ... how to fix?

[Zeus V P. <ze...@ib...>]

Hi,

i'm trying to get working next scheme:


SCHEMA:
--------------
LAN a.a.a.1/24 <-> a.a.a.2/24 FreeBSD b.b.b.1 <-> c.c.c.1 IPSEC PEER PIX
    	    		      |		    	          |
			      + x.x.x.x <-------> y.y.y.y +

CONFIGURATION:
--------------
/etc/rc.conf
...
gateway_enable="YES"
cloned_interfaces="gif0 vlan37 vlan41"
ifconfig_re0="UP"
ifconfig_vlan37="inet a.a.a.2/24 vlan 37 vlandev re0"
ifconfig_vlan41="inet x.x.x.x/25 vlan 41 vlandev re0"
ifconfig_gif0="inet b.b.b.1 c.c.c.1 tunnel x.x.x.x y.y.y.y"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
pf_enable="YES"
pflog_enable="YES"
...


/usr/local/etc/racoon/setkey.conf
flush;
spdflush;

spdadd b.b.b.1 b.b.b.1 any -P out none;
spdadd b.b.b.1 b.b.b.1 any -P  in none;

spdadd b.b.b.1  c.c.c.0/24 any -P out ipsec \
       esp/tunnel/x.x.x.x-y.y.y.y/require;

spdadd  c.c.c.0/24 b.b.b.1 any -P  in ipsec \
       esp/tunnel/y.y.y.y-x.x.x.x/require;



/etc/pf.conf
...
set skip on lo0
set optimization conservative
set ruleset-optimization basic

nat on $if_ipsec from a.a.a.20 to c.c.c.1 -> b.b.b.1 bitmask static-port

block in log (all)

pass log (all) on $if_ipsec
pass log (all) on $if_int
pass out log (all) keep state

antispoof for {$if_ext, $if_int, $if_ipsec}

pass in log inet proto icmp all icmp-type echoreq

pass in quick on $if_ipsec proto esp from y.y.y.y to x.x.x.x
pass in quick on $if_ipsec proto ipencap from y.y.y.y to x.x.x.x
pass in quick on $if_ipsec proto udp from y.y.y.y to x.x.x.x port isakmp
pass in quick on $if_ipsec proto udp from y.y.y.y to x.x.x.x port 4500

pass in log (all) on $if_ext from { <IP_PASS_EXT> } to $if_ext
pass in log (all) on $if_int from { <IP_PASS_INT> } to $if_int


WHAT I DO:
--------------
1)
  trying to ping IPSEC PEER from LAN
  user@a.a.a.20> ping c.c.c.1
  packets are going out but no return

  at FreeBSD box i see packets missing the ipsec:
  user@FreeBSD> tcpdump -n -i gif0 host 10.1.100.239
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
13:27:18.122542 IP b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 2903, length 64
13:27:19.123275 IP b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 2904, length 64
13:27:20.124517 IP b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 2905, length 64
13:27:21.125568 IP b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 2906, length 64

  user@FreeBSD> tcpdump -n -i vlan41 host y.y.y.y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan11, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.000000 ethertype IPv4 (0x0800), length 118: x.x.x.x > y.y.y.y: b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 3291, length 64 (ipip-proto-4)
00:00:01.002444 ethertype IPv4 (0x0800), length 118: x.x.x.x > y.y.y.y: b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 3292, length 64 (ipip-proto-4)
00:00:00.998157 ethertype IPv4 (0x0800), length 118: x.x.x.x > y.y.y.y: b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 3293, length 64 (ipip-proto-4)
00:00:01.000384 ethertype IPv4 (0x0800), length 118: x.x.x.x > y.y.y.y: b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 3294, length 64 (ipip-proto-4)
00:00:00.999928 ethertype IPv4 (0x0800), length 118: x.x.x.x > y.y.y.y: b.b.b.1 > c.c.c.1: ICMP echo request, id 39050, seq 3295, length 64 (ipip-proto-4)


2)
  trying to ping IPSEC PEER from FreeBSD box
  user@b.b.b.1> ping c.c.c.1
  everything works

  user@b.b.b.1> tcpdump -n -i gif0 host  c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
13:45:56.759567 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 213, length 64
13:45:57.760745 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 214, length 64
13:45:58.762787 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 215, length 64
13:45:59.765493 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 216, length 64
13:46:00.764619 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 217, length 64
13:46:01.765676 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 218, length 64

  user@b.b.b.1> tcpdump -n -ettt -s0 -i vlan11 host y.y.y.y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan11, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x8), length 132
00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x9), length 132
00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x9), length 132



  user@b.b.b.1> tcpdump -i pflog0 | grep block
doesn't show any line



so ... here is the question:

why my LAN traffic doesn't enter ipsec?


i appreciate any help

-- 
Zeus V. Panchenko
JID:ze...@gn...			      	        GMT+2 (EET)