Strange Tunnel Behavior

[mlager]

I am working to connect two networks together using an IPSEC tunnel. The first testing steps I'm taking is to get the GIF interfaces setup and ensure connectivity is in place for the tunnel before I dive into the IPSEC part. Both endpoints are running FreeBSD 8.2-RELEASE. Here is what I've setup on each end:

Endpoint 1:

gifconfig_gif1="y.y.y.y z.z.z.z"
ifconfig_gif1="inet 172.16.1.1 172.16.2.1 netmask 255.255.255.0"
static_routes="tslbell"
route_tslbell="-net 172.16.2.0/24 172.16.2.1"

Endpoint 2:

gifconfig_gif1="z.z.z.z y.y.y.y"
ifconfig_gif1="inet 172.16.2.1 172.16.1.1 netmask 255.255.255.0"
static_routes="belltsl"
route_belltsl="-net 172.16.1.0/24 172.16.1.1"

Here is what's strange to me... If I attempt to ping Endpoint 2 from Endpoint 1, it times out, that is until I go to Endpoint 2 and ping Endpoint 1. Once that is done, connectivity works properly on both ends. After about a minute or so, they go dead again until I repeat the steps I just described.

Both endpoints utilize PF, and I've configured the following rule, I'm not sure if this could be a potential firewall issue.

pass quick on gif1 all

Here is the output of ifconfig gif1 from each endpoint, with public addresses being masked:

Endpoint 1:

gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet y.y.y.y --> z.z.z.z
        inet6 fe80::222:3fff:fef1:ee91%gif1 prefixlen 64 scopeid 0xc
        inet 172.16.1.1 --> 172.16.2.1 netmask 0xffffff00
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        options=1<ACCEPT_REV_ETHIP_VER>

Endpoint 2:

gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet z.z.z.z --> y.y.y.y
        inet6 fe80::2b0:d0ff:fefe:30b1%gif1 prefixlen 64 scopeid 0x9
        inet 172.16.2.1 --> 172.16.1.1 netmask 0xffffff00
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        options=1<ACCEPT_REV_ETHIP_VER>

Has anyone experienced anything like this? Before I go through the more complex process of setting up the IPSEC portion, I need to make sure connectivity is working properly at this stage. Thanks for any advice anyone can provide me.

 

[SirDice]

Your routes don't look correct to me. How is a host able to reach 172.16.1.0/24 if the gateway is in that network segment?

This looks much better:

route_tslbell="-net 172.16.2.0/24 172.16.1.1"

route_belltsl="-net 172.16.1.0/24 172.16.2.1"

You could probably also use:

route_tslbell="-net 172.16.2.0/24 -interface gif1"

 

[mlager]

My setup is based on the FreeBSD handbook article:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html

Once the networks are capable of pinging eachother, I can access all of Endpoint 2's network from Endpoint 1 and vice versa.

I'm leaning towards this being a PF issue.

 

[SirDice]

I'm leaning towards this being a PF issue.

Possible, what happens when you turn it off or disable it?

 

[mlager]

I just tested that and it seems to be working once I issue a pfctl -d on both sides. I feel like it's some sort of state issue, but I can't tell. I tried modifying my PF rule to say the following but it didn't have any effect, but surely I'm not creating the correct rules for this tunnel.

pass quick on gif1 all keep state

 

[mlager]

I added the following rules based on the handbook's say so and it appears to be functioning so far. I'm going to give it some time and then I'll report back.

pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif1 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif1 from any to any

 

[mlager]

Adding those PF rules seemed to correct the issue.