IPSEC passes only ICMP

Question

IPSEC passes only ICMP

I have FreeBSD and Mikrotik with IP 1.1.1.1 and 2.2.2.2. Local subnets are 192.168.1.0/24 and 192.168.2.0/24. Firewall is disabled for testing.

I am bringing up gre tunnel between them.

FreeBSD:

ifconfig_gre0="10.100.200.1 10.100.200.2 netmask 255.255.255.252 tunnel 1.1.1.1 2.2.2.2
route_gre="192.168.1.0/24 10.100.200.2"

Routes:

10.100.200.2       link#10            UH          0      135   gre0
192.168.2.0/24    10.100.200.2       UGS         0  1758594   gre0

Mikrotik:

/interface gre print 
 0  R name="gre" mtu=1400 actual-mtu=1400 local-address=2.2.2.2 
      remote-address=1.1.1.1 dscp=inherit clamp-tcp-mss=yes 
      dont-fragment=no allow-fast-path=yes

/ip address print 
 #   ADDRESS            NETWORK         INTERFACE                                                                 
 2   10.100.200.2/30    10.100.200.0    gre

/ip route print 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 1 A S  192.168.1.0/24                      10.100.200.1              1
 2 ADC  10.100.200.0/30    10.100.200.2    gre                0

In result, tunnel is up. ICMP and TCP/UDP traffic passes between subnets.

Then. I'm starting to configure IPSEC.

FreeBSD spd.conf:

spdadd 1.1.1.1/32 2.2.2.2/32 gre -P out ipsec esp/transport/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32 1.1.1.1/32 gre -P in ipsec esp/transport/2.2.2.2-1.1.1.1/require;

raccoon.conf:

path pre_shared_key "./psk.txt";
#log debug;
path certificate "./racoon";

padding
{
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
}

listen
{
        isakmp 1.1.1.1 [500];
        isakmp_natt 1.1.1.1 [4500];
}


remote 2.2.2.2
{
        exchange_mode main,aggressive;
        my_identifier address 1.1.1.1;
        peers_identifier address 2.2.2.2;
        proposal_check claim;
        ike_frag on;
        generate_policy off;

        proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm aes;
                hash_algorithm sha1;
                dh_group 5;
                lifetime time 86400 secs;
        }
}

sainfo address 1.1.1.1/32 47 address 2.2.2.2/32 47
{
        pfs_group 5;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        lifetime time 28800 secs;
        compression_algorithm deflate;
}

And Mikrotik:

/ip ipsec proposal print

 1    name="gre" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=8h 
      pfs-group=modp1536

/ip ipsec peer print 
 0    address=1.1.1.1/32 local-address=:: passive=no port=500 
      auth-method=pre-shared-key 
      secret="123" 
      generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=no proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1536 lifetime=1d 
      lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 

/ip ipsec policy print 
 1     src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.1/32 
       dst-port=any protocol=gre action=encrypt level=require 
       ipsec-protocols=esp tunnel=no sa-src-address=2.2.2.2
       sa-dst-address=1.1.1.1 proposal=gre priority=0

Tunnel is up and only ICMP traffic freely passes between subnets. If connection is initiated from Mikrotik's side, packets passes to 192.168.1.0/24 subnet. Then response comes to internal if of FreeBSD but does not appear in gre tunnel. Connections, initiated from 192.168.1.0/24 subnet works well.

# setkey -DP
2.2.2.2[any] 1.1.1.1[any] gre
        in ipsec
        esp/transport/2.2.2.2-1.1.1.1/require
        spid=88 seq=1 pid=51446
        refcnt=1
1.1.1.1[any] 2.2.2.2[any] gre
        out ipsec
        esp/transport/1.1.1.1-2.2.2.2/require
        spid=87 seq=0 pid=51446
        refcnt=1
# setkey -D
1.1.1.1 2.2.2.2
        esp mode=transport spi=38329021(0x0248dabd) reqid=0(0x00000000)
        E: rijndael-cbc  fa0343f1 e8f8bcce 0d6141c9 7992ce27
        A: hmac-sha1  d643cc10 26e73073 1a141d81 883947f0 fe4f2581
        seq=0x00000001 replay=4 flags=0x00000000 state=mature
        created: May 27 11:33:56 2016   current: May 27 11:34:07 2016
        diff: 11(s)     hard: 28800(s)  soft: 23040(s)
        last: May 27 11:33:56 2016      hard: 0(s)      soft: 0(s)
        current: 200(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 1    hard: 0 soft: 0
        sadb_seq=1 pid=51447 refcnt=2
2.2.2.2 1.1.1.1
        esp mode=transport spi=265913213(0x0fd9837d) reqid=0(0x00000000)
        E: rijndael-cbc  4acd0fa5 22ace24d 4d210063 dbd9f1cb
        A: hmac-sha1  bd0077ee d8ca81e4 ee9edd64 e1f97f0b e7672de8
        seq=0x0000000b replay=4 flags=0x00000000 state=mature
        created: May 27 11:33:56 2016   current: May 27 11:34:07 2016
        diff: 11(s)     hard: 28800(s)  soft: 23040(s)
        last: May 27 11:34:07 2016      hard: 0(s)      soft: 0(s)
        current: 796(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 11   hard: 0 soft: 0
        sadb_seq=0 pid=51447 refcnt=1

Help me to find the reason, please.

freebsd

ipsec

mikrotik

asked on Server Fault May 27, 2016 by

Zarom • edited Jun 1, 2016 by

Zarom

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0