Subject: ipsec/ipf/routing confusion
To: None <firstname.lastname@example.org>
From: Joe Bamberg <email@example.com>
Date: 11/06/2000 12:55:50
Here is my setup
home net (192.168.2.0/24)
192.168.2.253 interface ep0
home router--------------------192.168.3.1 interface lo1
a.b.c.d interface ep1
(big bad internet)
work net (10.2.0.0/16)
I'm trying to set up tunnel mode IPsec between 192.168.2.0/24
and 10.2.0.0/16. The home router is a NetBSD-1.5_BETA box,
and the work router is a Cisco (IOS 12.something).
IKE seems to work just fine (I'm using isakmpd-001006 on the
netbsd side). I negotiate an SA successfully and isakmpd installs
what looks like good SPD and SAD entries (although, all the
SPD entries are direction "out" - I guess this just means that
I initiated them?).
My default route on the home router is my ISP's router. Since
I don't want to route packets destined to the 10.2 network
through this, I've created an extra loopback interface (lo1) with
address 192.168.3.1 and route add -net 10.2 through that. This
also helps for logging.
When I ping a host on the work net from a host on the home net
(after IKE has established SAs), I see the ICMP packets inbound
on lo1 (using ipmon), ESP packets a.b.c.d -> e.f.g.h and ESP
packets coming back e.f.g.h -> a.b.c.d on ep1 (using tcpdump -niep1).
Then, I see the decrypted ICMP replies coming in on ep1 (using
ipmon) 10.2.x.y -> 192.168.2.z. They get blocked by an ipf rule.
If I pass them instead of blocking them (which seems to be highly
dodgy from a security standpoint), I still don't see them coming
back out to the 192.168.2.0/24 network. I was surprised at this
behaviour, expecting to see the decrypted packets appear initially
outbound on ep0 instead.
I'm feel that I'm so close to getting this to work but I must
be missing one vital piece of the puzzle and would appreciate
any help. I have realized that I just don't understand the
interaction between routing and IPsec in the kernel.