[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    ipsec road warrior nat'ing into the tunnel
From:       Tamas TEVESZ <ice () extreme ! hu>
Date:       2005-12-15 1:00:41
Message-ID: Pine.LNX.4.58.0512150144330.9621 () dawn ! royalcomp ! hu
[Download RAW message or body]


hello,

i've tried this on misc@ last week, please allow me to have a run here
too, with modifications that happened since.

the situation is pretty ordinary, a road warrior having established a
tunnel with a network behind some other peer's security gateway, needs
to nat its own internal network so that they too can access to the
other network that of the other party, while appearing to have arrived
from the roar warrior's routeable ip address. (in my case, the remote
"network" is just a host, actually.)

i've read many stuff in the archives, google, read ipsec(4), i quite
believe i understand how it's supposed to work (at least until i'm
proven wrong, that is:), but then, it just does not. i'm on the verge
of starting to believe that at some point in time, something has gone
seriously wrong in the way the ip and ipsec stacks interact in
openbsd. i'm willing to be proven wrong.

sketch:

                              ,------------,
                          enc0              \
[192.168.1.0/24] -- [fxp0 -- tun0] -- || -- [peer sgw] -- [10.6.10.98 @ peer's]
              192.168.1.6    a.b.c.185      d.e.f.3


using the below-quoted isakmpd.conf [1], the tunnel gets established
properly, 10.6.10.98 can be pinged, services on it accessed, whatnot.

$ openssl s_client -host 10.6.10.98 -port 443
CONNECTED(00000004)
[...]
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
[...]

gorgeous. the encap routing table at this point looks like this:

Source             Port  Destination        Port  Proto \
SA(Address/Proto/Type/Direction) 10.6.10.98/32      0     a.b.c.185/32       0     0  \
d.e.f.3/50/use/in a.b.c.185/32       0     10.6.10.98/32      0     0     \
d.e.f.3/50/require/out

all's well thus far.

now, if i understand ipsec(4) and several posts by claudio and cedric
here and there right, one needs to manually teach the kernel about a
flow from "my private network" to "remote private network" via "peer's
security gateway". the only purpose of this flow is that so that the
packets matching these criteria get selected for ipsec processing (in
fact the "via ..." seems to be superfluous, but it also doesn't seem
to make a difference in practice).

in my case, the following ipsec.conf seems to be just about fine:

# cat /etc/ipsec.conf
flow esp from 192.168.1.0/24 to 10.6.10.98 peer d.e.f.3
#

gently hammering it into the kernel, everything still seems fine, to
the best of my understanding:

# ipsecctl -f /etc/ipsec.conf
# netstat -nrfencap
Routing tables

Encap:
Source             Port  Destination        Port  Proto \
SA(Address/Proto/Type/Direction) 10.6.10.98/32      0     192.168.1/24       0     0  \
d.e.f.3/50/use/in 10.6.10.98/32      0     a.b.c.185/32       0     0     \
d.e.f.3/50/use/in 192.168.1/24       0     10.6.10.98/32      0     0     \
d.e.f.3/50/require/out a.b.c.185/32       0     10.6.10.98/32      0     0     \
d.e.f.3/50/require/out #


the only thing left is pf. so as not to complicate matters, the
following configuration is what i'm trying to use:

# cat /etc/pf.conf

nat on enc0 from 192.168.1.0/24 to 10.6.10.98 -> a.b.c.185
nat on tun0 from 192.168.1.0/24 to $sometesthost -> a.b.c.185

pass log (all) all keep state

#

that should be all. but it doesn't work, and it does so in interesting
(to me) ways.

the `pass log (all)' in pf is so that i could spy on packets closely;
this revealed something i can't explain, but i suspect it has to do
something with the problem.

as a test, from 192.168.1.12, i try to connect to $sometesthost:25:

# tcpdump -nettti pflog0 not port 22 and not port 500
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG

<on 192.168.1.12, do `telnet $sometesthost 25', get a
connrefused, for $sometesthost does not run an smtp service>

Dec 10 07:21:53.638006 rule 0/(match) pass in on fxp0: 192.168.1.12.52812 > \
$sometesthost.25: [|tcp] (DF) [tos 0x10] Dec 10 07:21:53.638072 rule 0/(match) pass \
out on tun0: a.b.c.185.57197 > $sometesthost.25: [|tcp] (DF) [tos 0x10] Dec 10 \
07:21:53.652114 rule 0/(match) pass in on tun0: $sometesthost.25 > \
192.168.1.12.52812: [|tcp] (DF) Dec 10 07:21:53.652134 rule 0/(match) pass out on \
fxp0: $sometesthost.25 > 192.168.1.12.52812: [|tcp] (DF)

fine, shows a packet coming in, after translation going out, blah,
everything looks perfect.

now, lets try to ping 10.6.10.98:

# tcpdump -nettti pflog0 not port 22 and not port 500
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG

<on 192.168.1.12, start a `ping 10.6.10.98'>

Dec 10 07:30:55.432061 rule 0/(match) pass in on fxp0: 192.168.1.12 > 10.6.10.98: \
icmp: echo request (DF) Dec 10 07:30:56.431228 rule 0/(match) pass in on fxp0: \
192.168.1.12 > 10.6.10.98: icmp: echo request (DF) Dec 10 07:30:57.430875 rule \
0/(match) pass in on fxp0: 192.168.1.12 > 10.6.10.98: icmp: echo request (DF)

and... that's it. a packet comes in, and disappears.

i've looked for it everywhere. on every interface, it doesn't ever hit
anything that pf wants to log with log(all). i can't find any related
(e.g.) icmp traffic back to the originating host which would indicate
that anything has happened to my little echoreq. nothing. disappeared.

this is a packet that, if my ipsec.conf above was right, should have
gotten selected for ipsec processing, and, according to ipsec(4),
after having gotten nat'ed, should have been processed by ipsec, and
thus, should have appeared in the above tcpdump.

why did it not?
where does a packet go when it disappears?
how can i find out at which point does it get lost? is it perhaps nat,
ipsec, where? setting pf's debuglevel to loud kept it dead silent.

if none of the above, where did i misunderstand this?

i am totally lost, dazed and confused, and quite frankly can't decide
whether it's me being a dumbass, or is it really the case of something
not working as it's supposed to work.

anyone care to enlighten me?

working isakmpd.conf and dmesg below; dmesg is from the latest snap,
i've also tried with 3.8-stable, same symptoms to the last bit.

thanks a lot,


[1]. isakmpd.conf

[General]
Retransmits=		5
Exchange-max-time=	120
Check-interval=		1
DPD-check-interval=	60

[Phase 1]
d.e.f.3=		ISAKMP-Peer-Corp

[Phase 2]
Connections=		IPSec-Corp-10-6-10-36-32

[ISAKMP-Peer-Corp]
Phase=			1
Transport=		udp
Address=		d.e.f.3
Configuration=		Corp-main-mode
Authentication=		***

[Corp-main-mode]
EXCHANGE_TYPE=		ID_PROT
Transforms=		AES-SHA-GRP2

[Corp-quick-mode]
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-AES-SHA-GRP2-SUITE

[Host-Me]
ID-type=		IPV4_ADDR
Address=		a.b.c.185

[IPSec-Corp-10-6-10-36-32]
Phase=			2
ISAKMP-Peer=		ISAKMP-Peer-Corp
Configuration=		Corp-quick-mode
Remote-ID=		Host-Corp-10-6-10-36
Local-ID=		Host-Me

[Host-Corp-10-6-10-36]
ID-type=		IPV4_ADDR
Address=		10.6.10.98

[2] isakmpd.policy:
KeyNote-Version: 2

Authorizer: "POLICY"
Licensees: "passphrase:***"
Conditions: app_domain == "IPsec policy" &&
        esp_present == "yes" &&
        esp_enc_alg == "aes" -> "true";

[3] dmesg

OpenBSD 3.8-current (GENERIC) #302: Thu Dec  8 16:26:41 MST 2005
    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 1 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
 real mem  = 132620288 (129512K)
avail mem = 114360320 (111680K)
using 1644 buffers containing 6733824 bytes (6576K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(b9) BIOS, date 09/13/02, BIOS32 rev. 0 @ 0xe7300
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xe7300/0x8d00
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf6870/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801BA LPC" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xe0000/0x10000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82815 Hub" rev 0x04
vga1 at pci0 dev 2 function 0 "Intel 82815 Graphics" rev 0x04: aperture at \
0x44000000, size 0x4000000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x02
pci1 at ppb0 bus 1
rl0 at pci1 dev 4 function 0 "Realtek 8139" rev 0x10: irq 5, address \
00:e0:4c:50:2d:8e rlphy0 at rl0 phy 0: RTL internal phy
fxp0 at pci1 dev 8 function 0 "Intel 82562" rev 0x01: irq 10, address \
00:02:a5:23:f2:1b inphy0 at fxp0 phy 1: i82562EM 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x02: DMA, channel 0 wired \
to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: \
                <Maxtor 53073H4>
wd0: 16-sector PIO, LBA, 29311MB, 60030432 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <Compaq, CD-ROM SC-148E, PC05> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 31 function 4 "Intel 82801BA USB" rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
auich0 at pci0 dev 31 function 5 "Intel 82801BA AC97" rev 0x02: irq 5, ICH2 AC97
ac97: codec id 0x41445360 (Analog Devices AD1885)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at auich0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask fb45 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302


-- 
[-]

mkdir /nonexistent


[prev in list] [next in list] [prev in thread] [next in thread]