IPSec tunneling problem
- From: Toomas Aas <toomas.aas@xxxxxxxxxxxxx>
- Date: Thu, 29 Mar 2007 15:40:04 +0300
Hello!
We have a central office which is separated from the Internet with firewall running Linux 2.4 and FreeSWAN. I'm trying to create an IPSec tunnel to the central office from another small branch office, using FreeBSD 6.2 with it's integrated IPSec and ipsec-tools. The tunneling is generally working, both internal networks can see each other, but I'm having some problems with traffic originating from the FreeBSD firewall itself.
The central office has internal network 192.168.1.0/24 and firewall's external IP is, let's say, A.B.C.D. The branch office has internal network 192.168.5.0/24 and firewall's external IP is W.X.Y.Z.
The policies in /etc/ipsec.conf are as follows.
spdadd 192.168.5.0/24 192.168.1.0/24 any -P out ipsec \
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd 192.168.1.0/24 192.168.5.0/24 any -P in ipsec \
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
The traffic between hosts in 192.168.1.0/24 and 192.168.5.0/24 is being correctly tunnelled, i.e. when I watch the traffic on firewall's external interface with tcpdump, I can see only ESP traffic between A.B.C.D and W.X.Y.Z, and the internal IPs don't appear anywhere.
I can even successfully initiate *some* tunnelled traffic from the firewall machine itself, for example
ping -S 192.168.5.1 192.168.1.3
works correctly, as does
telnet -s 192.168.5.1 192.168.1.3 53
However, the main reason why I want to have internal traffic originating from the firewall host itself is that I'd like to run an internal DNS server with slave zones for my internal network (*.in-addr.arpa) so all the DNS traffic wouldn't go through the VPN. The master for these zones is 192.168.1.3. I've configured named.conf with following
options
{
...
listen-on { 127.0.0.1; 192.168.5.1; };
query source address 192.168.5.1;
forwarders {
192.168.1.3;
};
...
};
...
zone "1.168.192.in-addr.arpa" {
type slave;
file "slave/1.168.192.in-addr.arpa";
masters { 192.168.1.3; };
};
...
However, when I start named and watch the traffic on firewall's external interface with tcpdump, I can see actual packets between 192.168.5.1 and 192.168.1.3.
What is the difference between this DNS traffic and things like telnet -s, which causes the DNS traffic to not be tunneled?
--
Toomas Aas
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Prev by Date: Re: NFS write() calls lead to read() calls?
- Next by Date: Merging rc.d/network_ipv6 into rc.d/netif
- Previous by thread: NFS write() calls lead to read() calls?
- Next by thread: Merging rc.d/network_ipv6 into rc.d/netif
- Index(es):
Relevant Pages
|
|
