Hello!
I'm trying to set up IPSEC VPN on FreeBSD router with PF firewall already enabled.
Everything seems to work, hosts are accessible on both networks, BUT transmission of data fails after transmitting 128K.
Disabling PF (/etc/rc.d/pf stop) solved the problem.
But IMHO it is not a good idea to leave internet firewall without firewall enabled. So a bit later I found that disabling PF just on tunnel interface (set skip on gif) also solved a problem. And even completely permissive PF configuration breaks normal VPN work.
My current /etc/pf.conf
When I comment "set skip on MskPP" - problem returns. With this option (set skip on MskPP) IPSEC works fine.
Is it possible to use PF with IPSEC? Why fully permissible PF disturbs IPSEC?
Other configurations:
/etc/ipsec.conf
/usr/local/etc/racoon/racoon.conf
I'm trying to set up IPSEC VPN on FreeBSD router with PF firewall already enabled.
Everything seems to work, hosts are accessible on both networks, BUT transmission of data fails after transmitting 128K.
Code:
[dkazarov@gw-tw ~]$ scp 2 192.168.5.5:/dev/null
2 7% 128KB 128.0KB/s 00:13 ETAWrite failed: Operation not permitted
lost connection
Disabling PF (/etc/rc.d/pf stop) solved the problem.
Code:
[dkazarov@gw-tw ~]$ /etc/rc.d/pf stop
Disabling pf.
[dkazarov@gw-tw ~]$ scp 2 192.168.5.5:/dev/null
2 100% 1827KB 65.3KB/s 00:28
[dkazarov@gw-tw ~]$
My current /etc/pf.conf
Code:
#============================> Macros <============================#
if_inet = "em0"
if_lan_Office = "em1"
pubIP = "aa.aa.aa.130"
#============================> Tables <============================#
#============================> Options <============================#
set block-policy drop
set skip on lo0
set skip on MskPP
#============================> Traffic Normalization <============================#
#scrub in on $if_inet all fragment reassemble
#============================> Queueing <============================#
#============================> Translation <============================#
nat on $if_inet from $LAN_network to any -> $pubIP
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $if_lan_Office proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# We are just setting the office and everything is allowed.
pass quick all
# Everything below does not work
# Allow any packet to go out.
pass out all
# We have to check incoming traffic
block in log all
When I comment "set skip on MskPP" - problem returns. With this option (set skip on MskPP) IPSEC works fine.
Is it possible to use PF with IPSEC? Why fully permissible PF disturbs IPSEC?
Other configurations:
ifconfig
Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:3c:a5:d0
inet aa.aa.aa.130 netmask 0xffffffe0 broadcast aa.aa.aa.159
inet6 fe80::225:90ff:fe3c:a5d0%em0 prefixlen 64 scopeid 0x2
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:3c:a5:d1
inet 192.168.150.5 netmask 0xffffff00 broadcast 192.168.150.255
inet6 fe80::225:90ff:fe3c:a5d1%em1 prefixlen 64 scopeid 0x3
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
MskPP: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet aa.aa.aa.130 --> bb.bb.bb.123
inet6 fe80::225:90ff:fe3c:a5d0%MskPP prefixlen 64 tentative scopeid 0x6
inet 192.168.150.5 --> 192.168.5.5 netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
options=1<ACCEPT_REV_ETHIP_VER>
Code:
[root@gw-tw ~]# netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default aa.aa.aa.129 UGS 1 45204 em0
aa.aa.aa.128/27 link#2 U 0 54 em0
aa.aa.aa.130 link#2 UHS 0 0 lo0
127.0.0.1 link#5 UH 0 390 lo0
192.168.4.0/23 MskPP US 0 11960 MskPP
192.168.5.5 link#6 UH 0 8084 MskPP
192.168.50.0/24 MskPP US 0 114 MskPP
192.168.150.0/24 link#3 U 0 935 em1
192.168.150.5 link#3 UHS 1 0 lo0
/etc/ipsec.conf
Code:
flush;
spdflush;
#################################################################################################################
# Main office
######################
spdadd bb.bb.bb.123 aa.aa.aa.130 ipencap -P in ipsec esp/tunnel/bb.bb.bb.123-aa.aa.aa.130/unique;
spdadd aa.aa.aa.130 bb.bb.bb.123 ipencap -P out ipsec esp/tunnel/aa.aa.aa.130-bb.bb.bb.123/unique;
#################################################################################################################
/usr/local/etc/racoon/racoon.conf
Code:
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen {
isakmp aa.aa.aa.130 [500];
strict_address;
}
timer {
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
sainfo anonymous {
pfs_group 2;
lifetime time 30 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
remote bb.bb.bb.123 {
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address aa.aa.aa.130;
nonce_size 16;
lifetime time 12 hour;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}