IPSec between Cisco router and FreeBSD in Azure cloud

M

MixaSg

Hi folks!
I would like to make a tunnel between the Cisco router and the FreeBSD host, but I can’t write the rules in ipsec.txt correctly.
My Cisco router is behind ASA firewall and have PAT rules for ports UDP:500, UDP:4500. I also have another working IPSec VTI tunnels on router.

6904


My router config:

Code: 
crypto keyring MyTo
  pre-shared-key address YYY.YYY.YYY.YYY key Megakey
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 20 periodic
crypto isakmp nat keepalive 20
crypto isakmp profile MyTo
   keyring MyTo
   match identity address YYY.YYY.YYY.YYY 255.255.255.255
   initiate mode aggressive
!
crypto ipsec transform-set MyNet esp-aes 256 esp-sha-hmac
!
!
crypto ipsec profile MyTo
set transform-set MyNet
set pfs group2
set isakmp-profile MyTo
!
!
interface Tunnel10
description --- To ---
ip address 10.255.200.5 255.255.255.252
tunnel source Vlan1
tunnel mode ipsec ipv4
tunnel destination YYY.YYY.YYY.YYY
tunnel protection ipsec profile MyTo
!
ip route 10.229.33.4 255.255.255.255 10.255.200.6

My FreeBSD config (current ipsec.txt content is a cry of despair)

Code: 
/usr/local/etc/racoon/racoon.conf:

path pre_shared_key "/usr/local/etc/racoon/key.txt";
log notify;

listen {
        isakmp 10.229.33.4 [500];
        isakmp_natt 10.229.33.4 [4500];
}

remote XXX.XXX.XXX.XXX {
        exchange_mode aggressive,base,main;
        nat_traversal on;
        my_identifier address 23.100.43.215;
        peers_identifier address 10.255.200.2;
        lifetime time 86400 sec;
        generate_policy on;
        dpd_delay 25;
        proposal_check obey;    # obey, strict, or claim

        proposal {
                encryption_algorithm aes 256;
                authentication_method pre_shared_key;
                hash_algorithm sha1;
                dh_group 2;
        }
}

sainfo anonymous
{
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;
        pfs_group 2;
        compression_algorithm deflate;
}

cat /usr/local/etc/racoon/ipsec.conf

spdadd -4 10.229.33.4/32 10.229.33.0/24 any -P out none;
spdadd -4 10.229.33.0/24 10.229.33.4/32 any -P in none;
spdadd -4 10.255.200.6/32 10.255.1.0/24 any -P out ipsec esp/tunnel/10.229.33.4-XXX.XXX.XXX.XXX/unique;
spdadd -4 10.255.1.0/24 10.255.200.6/32 any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-10.229.33.4/unique;

IPSec is work fine, but I can't reach anyone except my internal network:

Code: 
vpn#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
YYY.YYY.YYY.YYY   10.255.200.2    QM_IDLE           2081 ACTIVE

vpn#ping 10.229.33.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.33.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 208/208/208 ms
vpn#ping 10.255.200.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.255.200.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 208/208/208 ms

Why all packets from FreeBSD router in to tunnel?

Code: 
[user@srv ~]$ netstat -arnf inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            10.229.33.1        UGS         hn0
10.229.33.0/24     link#2             U           hn0
10.229.33.4        link#2             UHS         lo0
10.255.0.0/16      10.255.200.5       UGS        gre0
10.255.200.5       link#3             UH         gre0
10.255.200.6       link#3             UHS         lo0
127.0.0.1          link#1             UH          lo0
168.63.129.16/32   10.229.33.1        UGS         hn0
169.254.169.254/32 10.229.33.1        UGS         hn0

Control access list on Cisco side of tunnel:

Code: 
Sep 19 10:48:39: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.229.33.4 -> 114.33.74.20, 1 packet
Sep 19 10:48:41: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.229.33.4 -> 76.164.234.122, 1 packet
Sep 19 10:48:42: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.229.33.4 -> 220.134.214.57, 1 packet
Sep 19 10:48:44: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.229.33.4 -> 118.170.49.247, 1 packet
 
I understand my trouble:
Code: 
[root@srv/usr/local/etc/racoon]# racoonctl show-sa isakmp
Destination            Cookies                           Created
XXX.XXX.XXX.XXX.4500      ca6587371b812659:83f3eef3edad29f9 2019-09-25 14:46:49
[root@srv-west-usa-infra-01 /usr/local/etc/racoon]# racoonctl show-sa ipsec
10.229.33.4[4500] XXX.XXX.XXX.XXX[4500]
        esp-udp mode=tunnel spi=2171799256(0x817306d8) reqid=0(0x00000000)
        E: aes-cbc  c5373df6 2d3afa41 81014be7 eaec1e3a f8b0b999 5780a51e f980511a ba02de06
        A: hmac-sha1  fc6ec11d 616506a0 f5575e79 21965f54 61ba1a91
        seq=0x000000d7 replay=4 flags=0x00000000 state=mature
        created: Sep 25 14:46:49 2019   current: Sep 25 14:50:38 2019
        diff: 229(s)    hard: 3600(s)   soft: 2880(s)
        last: Sep 25 14:46:52 2019      hard: 0(s)      soft: 0(s)
        current: 41240(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 215  hard: 0 soft: 0
        sadb_seq=1 pid=30018 refcnt=1
XXX.XXX.XXX.XXX[4500] 10.229.33.4[4500]
        esp-udp mode=tunnel spi=154626754(0x09376ac2) reqid=0(0x00000000)
        E: aes-cbc  2adde052 f70f3d7c 74407227 f2e292eb 6c3fb441 b9006e00 c6e90b4f b1dc070e
        A: hmac-sha1  ee6a769d 6556ec7f f8c29680 9e1e58fe 8f97aa7d
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 25 14:46:49 2019   current: Sep 25 14:50:38 2019
        diff: 229(s)    hard: 3600(s)   soft: 2880(s)
        last: Sep 25 14:46:52 2019      hard: 0(s)      soft: 0(s)
        current: 17458(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 228  hard: 0 soft: 0
        sadb_seq=0 pid=30018 refcnt=1
[root@srv/usr/local/etc/racoon]# setkey -DP
XXX.XXX.XXX.XXX[any] 10.229.33.4[any] gre
        in ipsec
        esp/tunnel/XXX.XXX.XXX.XXX-10.229.33.4/unique#16394
        spid=1662 seq=3 pid=30088 scope=global
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/XXX.XXX.XXX.XXX-10.229.33.4/require
        created: Sep 25 14:46:49 2019  lastused: Sep 25 14:50:41 2019
        lifetime: 3600(s) validtime: 0(s)
        spid=1665 seq=2 pid=30088 scope=global
        refcnt=2
10.229.33.4[any] XXX.XXX.XXX.XXX[any] gre
        out ipsec
        esp/tunnel/10.229.33.4-XXX.XXX.XXX.XXX/unique#16393
        spid=1661 seq=1 pid=30088 scope=global
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        out ipsec
        esp/tunnel/10.229.33.4-XXX.XXX.XXX.XXX/require
        created: Sep 25 14:46:49 2019  lastused: Sep 25 14:50:43 2019
        lifetime: 3600(s) validtime: 0(s)
        spid=1666 seq=0 pid=30088 scope=global
        refcnt=4
[root@srv/usr/local/etc/racoon]#

Racoon make SA as:
Code: 
0.0.0.0/0[any] 0.0.0.0/0[any] any
, because I use Cisco tunnel and have
Code: 
generate_policy on;
in racoon.conf. And cisco have:

Code: 
vpn#sh crypto ipsec sa
...
interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 10.255.200.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
...

Therefore, all traffic enters the tunnel. Does anyone know how to avoid this?
 
MixaSg said:
I understand my trouble:
Code: 
[root@srv/usr/local/etc/racoon]# racoonctl show-sa isakmp
Destination            Cookies                           Created
XXX.XXX.XXX.XXX.4500      ca6587371b812659:83f3eef3edad29f9 2019-09-25 14:46:49
[root@srv-west-usa-infra-01 /usr/local/etc/racoon]# racoonctl show-sa ipsec
10.229.33.4[4500] XXX.XXX.XXX.XXX[4500]
        esp-udp mode=tunnel spi=2171799256(0x817306d8) reqid=0(0x00000000)
        E: aes-cbc  c5373df6 2d3afa41 81014be7 eaec1e3a f8b0b999 5780a51e f980511a ba02de06
        A: hmac-sha1  fc6ec11d 616506a0 f5575e79 21965f54 61ba1a91
        seq=0x000000d7 replay=4 flags=0x00000000 state=mature
        created: Sep 25 14:46:49 2019   current: Sep 25 14:50:38 2019
        diff: 229(s)    hard: 3600(s)   soft: 2880(s)
        last: Sep 25 14:46:52 2019      hard: 0(s)      soft: 0(s)
        current: 41240(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 215  hard: 0 soft: 0
        sadb_seq=1 pid=30018 refcnt=1
XXX.XXX.XXX.XXX[4500] 10.229.33.4[4500]
        esp-udp mode=tunnel spi=154626754(0x09376ac2) reqid=0(0x00000000)
        E: aes-cbc  2adde052 f70f3d7c 74407227 f2e292eb 6c3fb441 b9006e00 c6e90b4f b1dc070e
        A: hmac-sha1  ee6a769d 6556ec7f f8c29680 9e1e58fe 8f97aa7d
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 25 14:46:49 2019   current: Sep 25 14:50:38 2019
        diff: 229(s)    hard: 3600(s)   soft: 2880(s)
        last: Sep 25 14:46:52 2019      hard: 0(s)      soft: 0(s)
        current: 17458(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 228  hard: 0 soft: 0
        sadb_seq=0 pid=30018 refcnt=1
[root@srv/usr/local/etc/racoon]# setkey -DP
XXX.XXX.XXX.XXX[any] 10.229.33.4[any] gre
        in ipsec
        esp/tunnel/XXX.XXX.XXX.XXX-10.229.33.4/unique#16394
        spid=1662 seq=3 pid=30088 scope=global
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/XXX.XXX.XXX.XXX-10.229.33.4/require
        created: Sep 25 14:46:49 2019  lastused: Sep 25 14:50:41 2019
        lifetime: 3600(s) validtime: 0(s)
        spid=1665 seq=2 pid=30088 scope=global
        refcnt=2
10.229.33.4[any] XXX.XXX.XXX.XXX[any] gre
        out ipsec
        esp/tunnel/10.229.33.4-XXX.XXX.XXX.XXX/unique#16393
        spid=1661 seq=1 pid=30088 scope=global
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        out ipsec
        esp/tunnel/10.229.33.4-XXX.XXX.XXX.XXX/require
        created: Sep 25 14:46:49 2019  lastused: Sep 25 14:50:43 2019
        lifetime: 3600(s) validtime: 0(s)
        spid=1666 seq=0 pid=30088 scope=global
        refcnt=4
[root@srv/usr/local/etc/racoon]#

Racoon make SA as:
Code: 
0.0.0.0/0[any] 0.0.0.0/0[any] any
, because I use Cisco tunnel and have
Code: 
generate_policy on;
in racoon.conf. And cisco have:

Code: 
vpn#sh crypto ipsec sa
...
interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 10.255.200.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
...

Therefore, all traffic enters the tunnel. Does anyone know how to avoid this?
Click to expand...
Have you tried split tunneling with routing policies?
 
You must log in or register to reply here.
Back
Top