I have FreeBSD and Mikrotik with IP 1.1.1.1 and 2.2.2.2. Local subnets are 192.168.1.0/24 and 192.168.2.0/24. Firewall is disabled for testing.
I am bringing up gre tunnel between them.
FreeBSD:
ifconfig_gre0="10.100.200.1 10.100.200.2 netmask 255.255.255.252 tunnel 1.1.1.1 2.2.2.2
route_gre="192.168.1.0/24 10.100.200.2"
Routes:
10.100.200.2 link#10 UH 0 135 gre0
192.168.2.0/24 10.100.200.2 UGS 0 1758594 gre0
Mikrotik:
/interface gre print
0 R name="gre" mtu=1400 actual-mtu=1400 local-address=2.2.2.2
remote-address=1.1.1.1 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no allow-fast-path=yes
/ip address print
# ADDRESS NETWORK INTERFACE
2 10.100.200.2/30 10.100.200.0 gre
/ip route print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
1 A S 192.168.1.0/24 10.100.200.1 1
2 ADC 10.100.200.0/30 10.100.200.2 gre 0
In result, tunnel is up. ICMP and TCP/UDP traffic passes between subnets.
Then. I'm starting to configure IPSEC.
FreeBSD spd.conf:
spdadd 1.1.1.1/32 2.2.2.2/32 gre -P out ipsec esp/transport/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32 1.1.1.1/32 gre -P in ipsec esp/transport/2.2.2.2-1.1.1.1/require;
raccoon.conf:
path pre_shared_key "./psk.txt";
#log debug;
path certificate "./racoon";
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen
{
isakmp 1.1.1.1 [500];
isakmp_natt 1.1.1.1 [4500];
}
remote 2.2.2.2
{
exchange_mode main,aggressive;
my_identifier address 1.1.1.1;
peers_identifier address 2.2.2.2;
proposal_check claim;
ike_frag on;
generate_policy off;
proposal
{
authentication_method pre_shared_key;
encryption_algorithm aes;
hash_algorithm sha1;
dh_group 5;
lifetime time 86400 secs;
}
}
sainfo address 1.1.1.1/32 47 address 2.2.2.2/32 47
{
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
lifetime time 28800 secs;
compression_algorithm deflate;
}
And Mikrotik:
/ip ipsec proposal print
1 name="gre" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=8h
pfs-group=modp1536
/ip ipsec peer print
0 address=1.1.1.1/32 local-address=:: passive=no port=500
auth-method=pre-shared-key
secret="123"
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1536 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
/ip ipsec policy print
1 src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.1/32
dst-port=any protocol=gre action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=2.2.2.2
sa-dst-address=1.1.1.1 proposal=gre priority=0
Tunnel is up and only ICMP traffic freely passes between subnets. If connection is initiated from Mikrotik's side, packets passes to 192.168.1.0/24 subnet. Then response comes to internal if of FreeBSD but does not appear in gre tunnel. Connections, initiated from 192.168.1.0/24 subnet works well.
# setkey -DP
2.2.2.2[any] 1.1.1.1[any] gre
in ipsec
esp/transport/2.2.2.2-1.1.1.1/require
spid=88 seq=1 pid=51446
refcnt=1
1.1.1.1[any] 2.2.2.2[any] gre
out ipsec
esp/transport/1.1.1.1-2.2.2.2/require
spid=87 seq=0 pid=51446
refcnt=1
# setkey -D
1.1.1.1 2.2.2.2
esp mode=transport spi=38329021(0x0248dabd) reqid=0(0x00000000)
E: rijndael-cbc fa0343f1 e8f8bcce 0d6141c9 7992ce27
A: hmac-sha1 d643cc10 26e73073 1a141d81 883947f0 fe4f2581
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: May 27 11:33:56 2016 current: May 27 11:34:07 2016
diff: 11(s) hard: 28800(s) soft: 23040(s)
last: May 27 11:33:56 2016 hard: 0(s) soft: 0(s)
current: 200(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=1 pid=51447 refcnt=2
2.2.2.2 1.1.1.1
esp mode=transport spi=265913213(0x0fd9837d) reqid=0(0x00000000)
E: rijndael-cbc 4acd0fa5 22ace24d 4d210063 dbd9f1cb
A: hmac-sha1 bd0077ee d8ca81e4 ee9edd64 e1f97f0b e7672de8
seq=0x0000000b replay=4 flags=0x00000000 state=mature
created: May 27 11:33:56 2016 current: May 27 11:34:07 2016
diff: 11(s) hard: 28800(s) soft: 23040(s)
last: May 27 11:34:07 2016 hard: 0(s) soft: 0(s)
current: 796(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 11 hard: 0 soft: 0
sadb_seq=0 pid=51447 refcnt=1
Help me to find the reason, please.
User contributions licensed under CC BY-SA 3.0