I need to establish IPSec site-to-site connection between two offices as it shown below:
LAN1 (192.168.1.0/24)
|
FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPTP(X.X.X.X)
|
|
internet
|
|
ZyXEL ZyWALL USG50 (192.168.10.1) + NAT over PPTP (Y.Y.Y.Y)
|
LAN2 (192.168.10.0/24)
The VPN-connection has been established. All traffic between two VPN-gateways with global addresses X.X.X.X and Y.Y.Y.Y has been sucessfully encapsulated and encrypted. I see this traffic as packets with ESP headers in my sniffer. Then I added static routes to each LAN. But when I ping ZyXEL private address from my computer (192.168.1.102) I see the next output in tcpdump on FreeBSD gateway:
Traffic hasn't been encrypted and there is one instead of two stages of encapsulation (i can see the type of packet)! IP-packets ignore security policies for SA:
Please help me to solve this problem. As IPSec SA is one-way logical connection ZyXEL configuration can be ommited. As I understand, the traffic from client machines at least in the direction LAN1->LAN2 should look like this:
Output of commands and configs:
LAN1 (192.168.1.0/24)
|
FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPTP(X.X.X.X)
|
|
internet
|
|
ZyXEL ZyWALL USG50 (192.168.10.1) + NAT over PPTP (Y.Y.Y.Y)
|
LAN2 (192.168.10.0/24)
The VPN-connection has been established. All traffic between two VPN-gateways with global addresses X.X.X.X and Y.Y.Y.Y has been sucessfully encapsulated and encrypted. I see this traffic as packets with ESP headers in my sniffer. Then I added static routes to each LAN. But when I ping ZyXEL private address from my computer (192.168.1.102) I see the next output in tcpdump on FreeBSD gateway:
Code:
19:33:42.506971 IP X.X.X.X > Y.Y.Y.Y : IP 192.168.1.102 > 192.168.10.1: ICMP echo request, id 13941, seq 4, length 64 (ipip-proto-4)
Traffic hasn't been encrypted and there is one instead of two stages of encapsulation (i can see the type of packet)! IP-packets ignore security policies for SA:
Code:
192.168.10.0/24[any] 192.168.1.0/24[any] any
in ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X/use
spid=6 seq=1 pid=23533
refcnt=1
192.168.1.0/24[any] 192.168.10.0/24[any] any
out ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/use
spid=5 seq=0 pid=23533
refcnt=1
Please help me to solve this problem. As IPSec SA is one-way logical connection ZyXEL configuration can be ommited. As I understand, the traffic from client machines at least in the direction LAN1->LAN2 should look like this:
Code:
21:34:16.486698 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0x043488c2,seq=0x66), length 116
Output of commands and configs:
Code:
[19]root@beta:/home/NutipA# cat /usr/local/etc/racoon/setkey.conf
flush;
spdflush;
# To the second office network
spdadd 192.168.1.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/use;
spdadd 192.168.10.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/use;
Code:
[19]root@beta:/home/NutipA# cat /usr/local/etc/racoon/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp X.X.X.X [500];
isakmp_natt X.X.X.X [4500];
}
remote Y.Y.Y.Y [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address X.X.X.X;
peers_identifier address Y.Y.Y.Y;
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 1;
}
}
sainfo (address 192.168.1.0/24 any address 192.168.10.0/24 any) # address $network/$netmask $type address $network/$netmas
{ # $network must be the two internal networks you are joining.
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm 3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
Code:
[18]root@beta:/home/NutipA# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 00:17:31:55:a6:07
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
<output ommitted>
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1400
options=80000<LINKSTATE>
inet X.X.X.X --> 81.25.33.1 netmask 0xffffffff
Opened by PID 32338
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet X.X.X.X --> Y.Y.Y.Y
inet 192.168.1.2 --> 192.168.10.1 netmask 0xffffff00
options=1<ACCEPT_REV_ETHIP_VER>
Code:
[19]root@beta:/home/NutipA# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default Z.Z.Z.Z UGS 0 74261 tun0
<output ommitted>
192.168.1.0/24 link#1 U 2 1097106 em0
192.168.1.2 link#1 UHS 0 0 lo0
192.168.10.0/24 192.168.10.1 UGS 0 549 gif0
192.168.10.1 link#8 UH 0 4230 gif0
Code:
[18]root@beta:/home/NutipA# cat /etc/rc.conf
zfs_enable="YES"
hostname="beta"
ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0 -rxcsum -txcsum -tso"
sshd_enable="YES"
ifconfig_vr0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
dummynet_enable="YES"
firewall_type="/etc/firewall"