tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

IPSEC not routing back packets on NetBSD 6.0_BETA2



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I used to have a working IPSEC tunnel using base's racoon between my home
gateway and another server. This setup was working on NetBSD 5.1_STABLE,
and since I've migrated my gateway to NetBSD 6.0 this morning, it seems
there's some kind of routing problem.

The tunnel seems to be ok as the log shows,

On my gateway:

Jun 10 12:34:43 exar racoon: INFO: begin Identity Protection mode.
Jun 10 12:34:43 exar racoon: INFO: received Vendor ID: DPD
Jun 10 12:34:43 exar racoon: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:4589f12564960cc8:bf2c30c693c93570 Jun 10 12:34:44 exar racoon: INFO: initiate new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500] Jun 10 12:34:44 exar racoon: INFO: IPsec-SA established: ESP/Tunnel 1.1.1.1[500]->2.2.2.2[500] spi=226782882(0xd846ea2) Jun 10 12:34:44 exar racoon: INFO: IPsec-SA established: ESP/Tunnel 1.1.1.1[500]->2.2.2.2[500] spi=67783732(0x40a4c34)

On the remote server:

Jun 10 12:38:43 nadd racoon: INFO: respond new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Jun 10 12:38:43 nadd racoon: INFO: begin Identity Protection mode.
Jun 10 12:38:43 nadd racoon: INFO: received Vendor ID: DPD
Jun 10 12:38:43 nadd racoon: INFO: ISAKMP-SA established 2.2.2.2[500]-1.1.1.1[500] spi:d4e4e865e91d28af:fb5504cf9743b41f Jun 10 12:38:44 nadd racoon: INFO: respond new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500] Jun 10 12:38:44 nadd racoon: INFO: IPsec-SA established: ESP/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=240914685(0xe5c10fd) Jun 10 12:38:44 nadd racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.67.2[500]->88.181.26.63[500] spi=32625877(0x1f1d4d5)

tcpdump'ing on the remote server shows that it receives data through the
tunnel:

12:41:05.519110 IP 1.1.1.1 > 2.2.2.2: ESP(spi=0x0e5c10fd,seq=0xf), length 120 12:41:06.524207 IP 1.1.1.1 > 2.2.2.2: ESP(spi=0x0e5c10fd,seq=0x10), length 120 12:41:07.534173 IP 1.1.1.1 > 2.2.2.2: ESP(spi=0x0e5c10fd,seq=0x11), length 120 12:41:08.534450 IP 1.1.1.1 > 2.2.2.2: ESP(spi=0x0e5c10fd,seq=0x12), length 120

but my gateway never receives the answer.

The setup is pretty "simple" and strictly the same, except for IPs, on my gateway and the remote server:

path pre_shared_key "/etc/racoon/psk.txt";

padding {
    maximum_length 20;
    randomize off;
    strict_check off;
    exclusive_tail off;
}

listen
{
    isakmp 1.1.1.1 [500]; # 2.2.2.2 on the other side
}

remote anonymous
{
    exchange_mode main;
    dpd_delay 20;

    weak_phase1_check on;

    proposal
    {
        lifetime time 15 min;
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

sainfo anonymous
{
    pfs_group 2;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha256,hmac_sha1;
    compression_algorithm deflate;
}

### EOF

I tried with both 5.1 userland / 6.0 kernel and 6.0 userland / 6.0 kernel.
The behaviour is the same.

Any new sysctl / kernel option I should be aware of?

Thanks,

- -------------------------------------------
Emile "iMil" Heitor .°. <imil%home.imil.net@localhost>                          
     _
                        http://gcu-squad.org        ASCII ribbon campaign ( )
                                                     - against HTML email  X
                                                                 & vCards / \
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)

iD8DBQFP1HzJFG3BlGWyzUIRAqgdAJ0aBuK71kFGRJtt8RyIYlyE9MTSyACePSQS
RzkvAjsIpgJqrB/f9AaA1jo=
=rvZ+
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index