IPSEC tunnel - why does only ICMP go?

D

Dmitry Shitskov2016-05-26 13:54:17

FreeBSD

Dmitry Shitskov, 2016-05-26 13:54:17

Good afternoon!
There are FreeBSD and Mikrotik with white IP 1.1.1.1 and 2.2.2.2 respectively and with local subnets 192.168.1.0/24 and 192.168.2.0/24. Firewall for testing passes everything.
I set up a GRE tunnel between them:
FreeBSD

ifconfig_gre0="10.100.200.1 10.100.200.2 netmask 255.255.255.252 tunnel 1.1.1.1 2.2.2.2
route_gre="192.168.1.0/24 10.100.200.2"

Mikrotik

/interface gre print 
 0  R name="gre" mtu=1400 actual-mtu=1400 local-address=2.2.2.2 
      remote-address=1.1.1.1 dscp=inherit clamp-tcp-mss=yes 
      dont-fragment=no allow-fast-path=yes

/ip address print 
 #   ADDRESS            NETWORK         INTERFACE                                                                 
 2   10.100.200.2/30    10.100.200.0    gre

/ip route print 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 1 A S  192.168.1.0/24                      10.100.200.1              1
 2 ADC  10.100.200.0/30    10.100.200.2    gre                0

As a result, the tunnel rises, pings go between subnets, resources (SMB) are available from any subnet.
Next, I proceed to configure IPSEC (ESP).
On FreeBSD I get the following spd.conf:

spdadd 1.1.1.1/32 2.2.2.2/32 gre -P out ipsec esp/transport/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32 1.1.1.1/32 gre -P in ipsec esp/transport/2.2.2.2-1.1.1.1/require;

raccoon.conf:

path pre_shared_key "./psk.txt";
#log debug;
path certificate "./racoon";

padding
{
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
}

listen
{
        isakmp 1.1.1.1 [500];
        isakmp_natt 1.1.1.1 [4500];
}


remote 2.2.2.2
{
        exchange_mode main,aggressive;
        my_identifier address 1.1.1.1;
        peers_identifier address 2.2.2.2;
        proposal_check claim;
        ike_frag on;
        generate_policy off;

        proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm aes;
                hash_algorithm sha1;
                dh_group 5;
                lifetime time 86400 secs;
        }
}

sainfo address 1.1.1.1/32 47 address 2.2.2.2/32 47
{
        pfs_group 5;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        lifetime time 28800 secs;
        compression_algorithm deflate;
}

And on Microtas:

/ip ipsec proposal print

 1    name="gre" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=8h 
      pfs-group=modp1536

/ip ipsec peer print 
 0    address=1.1.1.1/32 local-address=:: passive=no port=500 
      auth-method=pre-shared-key 
      secret="123" 
      generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=no proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1536 lifetime=1d 
      lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 

/ip ipsec policy print 
 1  XI  src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.1/32 
       dst-port=any protocol=gre action=encrypt level=require 
       ipsec-protocols=esp tunnel=no sa-src-address=2.2.2.2
       sa-dst-address=1.1.1.1 proposal=gre priority=0

The tunnel is going up. Pings go between subnets, but resources are not available.
The packets come from the Mikrotik subnet, but the response packet from the FreeBSD subnet arrives at the gateway's local interface, but is no longer observed in the gre tunnel.
Please help me find the error.
UPD
The situation has not changed. He walks with disabled policies, not always with encryption.

# setkey -DP
2.2.2.2[any] 1.1.1.1[any] gre
        in ipsec
        esp/transport/2.2.2.2-1.1.1.1/require
        spid=88 seq=1 pid=51446
        refcnt=1
1.1.1.1[any] 2.2.2.2[any] gre
        out ipsec
        esp/transport/1.1.1.1-2.2.2.2/require
        spid=87 seq=0 pid=51446
        refcnt=1
# setkey -D
1.1.1.1 2.2.2.2
        esp mode=transport spi=38329021(0x0248dabd) reqid=0(0x00000000)
        E: rijndael-cbc  fa0343f1 e8f8bcce 0d6141c9 7992ce27
        A: hmac-sha1  d643cc10 26e73073 1a141d81 883947f0 fe4f2581
        seq=0x00000001 replay=4 flags=0x00000000 state=mature
        created: May 27 11:33:56 2016   current: May 27 11:34:07 2016
        diff: 11(s)     hard: 28800(s)  soft: 23040(s)
        last: May 27 11:33:56 2016      hard: 0(s)      soft: 0(s)
        current: 200(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 1    hard: 0 soft: 0
        sadb_seq=1 pid=51447 refcnt=2
2.2.2.2 1.1.1.1
        esp mode=transport spi=265913213(0x0fd9837d) reqid=0(0x00000000)
        E: rijndael-cbc  4acd0fa5 22ace24d 4d210063 dbd9f1cb
        A: hmac-sha1  bd0077ee d8ca81e4 ee9edd64 e1f97f0b e7672de8
        seq=0x0000000b replay=4 flags=0x00000000 state=mature
        created: May 27 11:33:56 2016   current: May 27 11:34:07 2016
        diff: 11(s)     hard: 28800(s)  soft: 23040(s)
        last: May 27 11:34:07 2016      hard: 0(s)      soft: 0(s)
        current: 796(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 11   hard: 0 soft: 0
        sadb_seq=0 pid=51447 refcnt=1

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

Karmashkin, 2016-05-26
@Karmashkin

it seems that ipsec is the 3rd level of osi and it would now be possible to configure routes in it