Hello everyone,
I am having what I believe is a routing issue when trying to route traffic across an IPsec tunnel. The system is running FreeBSD 9.1-STABLE, PF firewall and ipsec-tools-0.8.0_3. The tunnel in question is to a vendor that is running a Palo Alto device and I do not have any control of their end of the tunnel. The purpose of the tunnel is to reach a number of web servers on their private network. The particulars are as follows:
I am able to establish the VPN tunnel; both phase 1 and phase 2 complete without errors and the vendor sees the tunnel up on their end. I am able to pass traffic on port 80 from the firewall to their web servers, but I am not able to reach their web servers from any of the computers on our network.
Relevant sysctl nobs:
setkey.conf:
racoon.conf:
gif0 interface:
pf.conf (abbreviated):
Something that I have discovered which is interesting: I am not able to pass traffic on gif0 unless it is skipped in pf.conf as shown above.
To sum up, no traffic on the 10.29.161.0/24 network can reach the web servers across the VPN tunnel on the 172.16.1.0/24 network. The firewall on the other hand can reach the web servers across the tunnel. I am at a loss and am not sure what to try next. Any assistance is greatly appreciated.
Thanks.
I am having what I believe is a routing issue when trying to route traffic across an IPsec tunnel. The system is running FreeBSD 9.1-STABLE, PF firewall and ipsec-tools-0.8.0_3. The tunnel in question is to a vendor that is running a Palo Alto device and I do not have any control of their end of the tunnel. The purpose of the tunnel is to reach a number of web servers on their private network. The particulars are as follows:
- Vendor Private Net - 172.16.1.0/24
- Out Private Net - 10.29.161.0/24
- Vendor requires us to NAT all traffic to a single IP - 10.29.161.254
I am able to establish the VPN tunnel; both phase 1 and phase 2 complete without errors and the vendor sees the tunnel up on their end. I am able to pass traffic on port 80 from the firewall to their web servers, but I am not able to reach their web servers from any of the computers on our network.
Relevant sysctl nobs:
Code:
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet.ipsec.filtertunnel: 1setkey.conf:
Code:
flush;
spdflush;
spdadd 10.29.161.254/32 172.16.1.0/24 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 172.16.1.0/24 10.29.161.235/32 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;racoon.conf:
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log notify;
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
listen
{
isakmp 1.1.1.1 [500];
}
remote 2.2.2.2 [500]
{
exchange_mode main;
my_identifier address 1.1.1.1;
peers_identifier address 2.2.2.2;
passive off;
initial_contact on;
proposal_check obey;
support_proxy on;
nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 24 hour;
}
}
sainfo (address 10.29.161.254/32 any address 172.16.1.0/24 any)
{
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}gif0 interface:
Code:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 1.1.1.1 --> 2.2.2.2
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
options=1<ACCEPT_REV_ETHIP_VER> netstat -rn
Code:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 1.1.1.1 UGS 256 78569709 bce0
10.29.161.0/24 link#2 U 1 153006 bce1
10.29.161.1 link#2 UHS 0 20020 lo0
10.29.161.254 link#16 UHS 0 0 lo0
10.29.161.254/32 link#16 UHS 0 1 lo0
10.29.162.2 link#17 UHS 0 2084720 lo0 =>
10.29.162.2/32 link#17 U 0 0 tap1
1.1.1.1/30 link#1 U 0 3 bce0
1.1.1.1 link#1 UHS 0 0 lo0
172.16.1.0/24 10.29.161.254 US 0 0 bce2
63.93.193.0/24 10.29.161.185 UGS 0 0 bce2
63.124.67.0/24 10.29.161.185 UGS 0 0 bce2
127.0.0.1 link#11 UH 0 1265 lo0pf.conf (abbreviated):
Code:
ExtIf="bce0"
IntIf="bce1"
TunIf="gif0"
set skip on { lo0, gif0 }
nat on $ExtIf from $IntIf:network to any -> $ExtIf
nat on $IntIf from $IntIf:network to 172.16.1.0/24 -> 10.29.161.254
pass in log on $IntIf inet proto tcp
pass in log on $IntIf inet proto { udp, icmp }Something that I have discovered which is interesting: I am not able to pass traffic on gif0 unless it is skipped in pf.conf as shown above.
To sum up, no traffic on the 10.29.161.0/24 network can reach the web servers across the VPN tunnel on the 172.16.1.0/24 network. The firewall on the other hand can reach the web servers across the tunnel. I am at a loss and am not sure what to try next. Any assistance is greatly appreciated.
Thanks.