Hi.
I can't really figure out why my IPSEC tunnel is not working.
On the picture you can see configuration of external and interal interfaces on checkpoint and FreeBSD.
(http://fefo.valec.net/Diagram1.svg)
I do the procedures from manual pages:
http://www.freebsd.org/doc/en/articles/checkpoint/index.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
gif from FreeBSD router:
setkey.conf from FreeBSD router:
racoon.conf from FreeBSD router:
I've added route for 10.10.10.0/24 network:
When I make a simple ping I see that IPSEC is working correctly, cause there is Ipsec-SA established: ESP/Tunnel .....
If I make ping from FreeBSD router ping -S 192.168.10.199 10.10.10.1
I can see in tcpdump on gif0 interface only ICMP echo replies.
On external interface fxp0 I see ESP from 1.2.3.4 and also to 1.2.3.4, that should be echos end replies.
BUT
If I make a ping from machine, which is in vlan25 in subnet 192.168.10.0/24 to 10.10.10.1, ping is not working and the only thing I can see is:
on external interface fxp0 there are:
and on gif interface, there are icmp echo requests from 192.168.10.100 -> 10.10.10.1
I see that this traffic isnt encrypted when leaving external interface so I've added another two rules to setkey.conf
Than I restarted ispec and racoon and now I can see:
On gif interface there are ICMP echo request as before, BUT
on external interface fxp0, there are ESP packets from 4.3.2.1 to 1.2.3.4
it means.. there are my ICMP echo requests in ESP packets.
I cant get ANY answer.
I've phoned to the admin of checkpoint to check logs and he sent me this picture as reason why it is not working:
(http://fefo.valec.net/log-modified.png)
The reason he told me was: "t gets dropped, it looks like its trying to use some weird ipencap protocol:"
I really don't know what I am doing wrong, could somebody explain me maybe what the ipencap protocol is, how could I change the behaviour of my VPN to get it working(maybe not using ipencap).
I really don't know where is the problem.
Any idea, suggestions ? whatever. I have to fix it ASAP.
Thanks in advance,
Martin Baumann
I can't really figure out why my IPSEC tunnel is not working.
On the picture you can see configuration of external and interal interfaces on checkpoint and FreeBSD.
(http://fefo.valec.net/Diagram1.svg)
I do the procedures from manual pages:
http://www.freebsd.org/doc/en/articles/checkpoint/index.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
gif from FreeBSD router:
Code:
#ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 4.3.2.1 --> 1.2.3.4
inet 192.168.10.199 --> 10.10.10.1 netmask 0xffffffff
options=1<ACCEPT_REV_ETHIP_VER>setkey.conf from FreeBSD router:
Code:
flush;
spdflush;
spdadd 192.168.10.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/4.3.2.1-1.2.3.4/require;
spdadd 10.10.10.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/1.2.3.4-4.3.2.1/require;
spdadd 4.3.2.1/32 10.10.10.0/24 any -P out ipsec esp/tunnel/4.3.2.1-1.2.3.4/require;
spdadd 10.10.10.0/24 4.3.2.1/32 any -P out ipsec esp/tunnel/1.2.3.4-4.3.2.1/require;racoon.conf from FreeBSD router:
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug2;
padding{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen{
isakmp 4.3.2.1 [500];
isakmp 192.168.10.199 [500];
}
timer{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote 1.2.3.4 [500] {
exchange_mode main,aggressive; # For Firewall-1 Aggressive mode
my_identifier address 4.3.2.1;
peers_identifier address 1.2.3.4;
nonce_size 16;
lifetime time 10 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm aes256;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 10 min;
encryption_algorithm aes128;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}I've added route for 10.10.10.0/24 network:
Code:
10.10.10.0/24 10.10.10.1 UGS 0 1392 gif0
10.10.10.1 link#14 UH 0 8156 gif0When I make a simple ping I see that IPSEC is working correctly, cause there is Ipsec-SA established: ESP/Tunnel .....
If I make ping from FreeBSD router ping -S 192.168.10.199 10.10.10.1
I can see in tcpdump on gif0 interface only ICMP echo replies.
On external interface fxp0 I see ESP from 1.2.3.4 and also to 1.2.3.4, that should be echos end replies.
BUT
If I make a ping from machine, which is in vlan25 in subnet 192.168.10.0/24 to 10.10.10.1, ping is not working and the only thing I can see is:
on external interface fxp0 there are:
Code:
17:21:11.117361 IP (tos 0x0, ttl 30, id 12989, offset 0, flags [none], proto IPIP (4), length 104)
4.3.2.1 > 1.2.3.4: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.10.100 > 10.10.10.1: ICMP echo request, id 45348, seq 151, length 64and on gif interface, there are icmp echo requests from 192.168.10.100 -> 10.10.10.1
I see that this traffic isnt encrypted when leaving external interface so I've added another two rules to setkey.conf
Code:
spdadd 4.3.2.1/32 1.2.3.4/32 any -P out ipsec esp/tunnel/4.3.2.1-1.2.3.4/require;
spdadd 1.2.3.4/32 4.3.2.1/32 any -P out ipsec esp/tunnel/1.2.3.4-4.3.2.1/require;Than I restarted ispec and racoon and now I can see:
On gif interface there are ICMP echo request as before, BUT
on external interface fxp0, there are ESP packets from 4.3.2.1 to 1.2.3.4
it means.. there are my ICMP echo requests in ESP packets.
I cant get ANY answer.
I've phoned to the admin of checkpoint to check logs and he sent me this picture as reason why it is not working:
(http://fefo.valec.net/log-modified.png)
The reason he told me was: "t gets dropped, it looks like its trying to use some weird ipencap protocol:"
I really don't know what I am doing wrong, could somebody explain me maybe what the ipencap protocol is, how could I change the behaviour of my VPN to get it working(maybe not using ipencap).
I really don't know where is the problem.
Any idea, suggestions ? whatever. I have to fix it ASAP.
Thanks in advance,
Martin Baumann