Problem with Racoon/IPSec/Setkey - Routing to/from multiple networks

From: Jamie Heckford (jamie_at_tridentmicrosystems.co.uk)
Date: 11/17/03

  • Next message: David Gilbert: "Knowing a route multiply."
    To: <freebsd-net@freebsd.org>
    Date: Mon, 17 Nov 2003 15:47:02 -0000
    
    

    Hi,

    Seem to be having a strange problem routing to some of our nets over
    here using setkey and racoon. Setkey adds all of the below lines fine,
    and racoon doesn't complain.

    However, I can only route to the network that I initate the connection
    to/from first... For example:

    If I ping 192.168.100.254 from 192.168.102.254 then the tunnel is
    established after a couple of seconds and it works fine. I can then ping
    any other 192.168.0.0/16 address as this is what the setkey entry is
    for. If I then try and ping 194.207.93.254 then I get no reponse in
    either direction.

    However, if I restart racoon and ping 194.207.93.254 first, it works
    fine... But then 192.168.100.254 does not!

    Could anyone shed any light on why this is happening.. Do I need to do
    it slightly differently if I am specifying multiple policies with
    setkey?

    Any help would be greatly appreciated... Config file and version info
    below (router at 192.168.102.254 is a Cisco 827 ADSL)

    FreeBSD 4.9-RELEASE #0: Tue Nov 4 14:10:37 GMT 2003

    v 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:172:main(): @(#)package
    version freebsd-20030826a
    Nov 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:174:main():
    @(#)internal version 20001216 sakane@kame.net
    Nov 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:175:main(): @(#)This
    product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/)

    #!/bin/sh
    ####################################################################

    LOCAL_NETWORK=194.207.93.0/24
    ALLNET_1=192.168.0.0/16

    LOCAL_INSIDE=194.207.93.251
    LOCAL_OUTSIDE=81.3.89.53

    STJUST_NETWORK=192.168.106.0/24
    STJUST_INSIDE=192.168.106.254
    STJUST_OUTSIDE=81.17.79.72

    BENELUX_NETWORK=192.168.102.0/24
    BENELUX_INSIDE=192.168.102.254
    BENELUX_OUTSIDE=80.126.6.130

    ####################################################################

    /usr/local/sbin/racoon

    # ST JUST

    /sbin/ifconfig gif0 destroy
    /sbin/ifconfig gif0 create
    /sbin/ifconfig gif0 tunnel ${LOCAL_OUTSIDE} ${STJUST_OUTSIDE}
    /sbin/ifconfig gif0 inet ${LOCAL_INSIDE} ${STJUST_INSIDE} netmask
    255.255.255.255
    /sbin/route add -net ${STJUST_NETWORK} ${STJUST_INSIDE}

    # BENELUX

    /sbin/ifconfig gif1 destroy
    /sbin/ifconfig gif1 create
    /sbin/ifconfig gif1 tunnel ${LOCAL_OUTSIDE} ${BENELUX_OUTSIDE}
    /sbin/ifconfig gif1 inet ${LOCAL_INSIDE} ${BENELUX_INSIDE} netmask
    255.255.255.255
    /sbin/route add -net ${BENELUX_NETWORK} ${BENELUX_INSIDE}

    /usr/sbin/setkey -c << EOF
    flush;
    spdflush;
    spdadd ${LOCAL_NETWORK} ${STJUST_NETWORK} any -P out ipsec
    esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
    spdadd ${STJUST_NETWORK} ${LOCAL_NETWORK} any -P in ipsec
    esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
    spdadd ${ALLNET_1} ${STJUST_NETWORK} any -P out ipsec
    esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
    spdadd ${STJUST_NETWORK} ${ALLNET_1} any -P in ipsec
    esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
    spdadd ${LOCAL_NETWORK} ${BENELUX_NETWORK} any -P out ipsec
    esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
    spdadd ${BENELUX_NETWORK} ${LOCAL_NETWORK} any -P in ipsec
    esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
    spdadd ${ALLNET_1} ${BENELUX_NETWORK} any -P out ipsec
    esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
    spdadd ${BENELUX_NETWORK} ${ALLNET_1} any -P in ipsec
    esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
    EOF

    --
    Jamie Heckford
    Network Manager
    Trident Microsystems Ltd.
    t: +44(0)1737-780790
    f: +44(0)1737-771908
    w: http://www.tridentmicrosystems.co.uk/ 
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    

  • Next message: David Gilbert: "Knowing a route multiply."

    Relevant Pages

    • Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...
      ... As soon as I changed the setkey parameters to a non tunnel device ... spdadd 10.22.200.0/24 10.21.0.0/16 any -P out ipsec ... phase 1 I agg: ...
      (FreeBSD-Security)
    • racoon/FreeBSD 4.5 problems & observations
      ... so here are my observations wrt racoon and problems with FreeBSD ... While all three nodes were running 4.3, I was able to run the VPN using ... spdadd IPA_addr/32 IPD_addr/32 any -P out ipsec ...
      (FreeBSD-Security)
    • Re: Cant set up an IPsec tunnel.
      ... setkey -FP ... spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec ... i'm wondering what if any troubles because of that RedHat gate with the ...
      (FreeBSD-Security)
    • Re: FreeBSD 5.3 & IPSEC
      ... The spdadd should be with public IP not private range. ... spdadd 10.223.207.0/24 10.223.206.0/24 any -P out ipsec ... racoon to talk, I did the psk files correctly but still no go. ...
      (comp.unix.bsd.freebsd.misc)
    • trying to set up PGPNet
      ... I assume the setup for PGPNet would be similar to setting up a vpn between two FreeBSD firewalls. ... setkey -FP ... spdadd 192.168.1.0/24 Y.Y.Y.Y/32 any -P out ipsec ...
      (FreeBSD-Security)