# Checkpoint vs. FreeBSD IPSEC problem



## fefo (Jan 26, 2010)

Hi.

I can't really figure out why my IPSEC tunnel is not working.
On the picture you can see configuration of external and interal interfaces on checkpoint and FreeBSD.





(http://fefo.valec.net/Diagram1.svg)

I do the procedures from manual pages:
http://www.freebsd.org/doc/en/articles/checkpoint/index.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html

gif from FreeBSD router:


```
#ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 4.3.2.1 --> 1.2.3.4
        inet 192.168.10.199 --> 10.10.10.1 netmask 0xffffffff 
        options=1<ACCEPT_REV_ETHIP_VER>
```

setkey.conf from FreeBSD router:


```
flush;
spdflush;
spdadd 192.168.10.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/4.3.2.1-1.2.3.4/require;
spdadd 10.10.10.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/1.2.3.4-4.3.2.1/require;
spdadd 4.3.2.1/32 10.10.10.0/24 any -P out ipsec esp/tunnel/4.3.2.1-1.2.3.4/require;
spdadd 10.10.10.0/24 4.3.2.1/32 any -P out ipsec esp/tunnel/1.2.3.4-4.3.2.1/require;
```


racoon.conf from FreeBSD router:

```
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
        log debug2;
padding{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
      } 
listen{
        isakmp 4.3.2.1 [500];
        isakmp 192.168.10.199 [500];
      }
timer{
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        phase1 30 sec;
        phase2 15 sec;
      }
remote 1.2.3.4 [500] {
          exchange_mode main,aggressive; # For Firewall-1 Aggressive mode
        my_identifier address 4.3.2.1;
        peers_identifier address 1.2.3.4;
          nonce_size 16;
          lifetime time 10 min;   # sec,min,hour
          initial_contact on;
          proposal_check obey;    # obey, strict or claim
          proposal {
                encryption_algorithm aes256;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
          }
}
sainfo anonymous {
          lifetime time 10 min;
          encryption_algorithm aes128;
          authentication_algorithm hmac_md5;
          compression_algorithm deflate;
        }
```


I've added route for 10.10.10.0/24 network:

```
10.10.10.0/24    10.10.10.1       UGS         0     1392   gif0
10.10.10.1       link#14            UH          0     8156   gif0
```

When I make a simple ping I see that IPSEC is working correctly, cause there is Ipsec-SA established: ESP/Tunnel .....


If I make ping from FreeBSD router _ping -S 192.168.10.199 10.10.10.1_
I can see in tcpdump on gif0 interface only ICMP echo replies.
On external interface fxp0 I see ESP from 1.2.3.4 and also to 1.2.3.4, that should be echos end replies.

BUT

If I make a ping from machine, which is in vlan25 in subnet 192.168.10.0/24 to 10.10.10.1, ping is not working and the only thing I can see is:

on external interface fxp0 there are:

```
17:21:11.117361 IP (tos 0x0, ttl 30, id 12989, offset 0, flags [none], proto IPIP (4), length 104)
    4.3.2.1 > 1.2.3.4: IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.10.100 > 10.10.10.1: ICMP echo request, id 45348, seq 151, length 64
```

and on gif interface, there are icmp echo requests from 192.168.10.100 -> 10.10.10.1

I see that this traffic isnt encrypted when leaving external interface so I've added another two rules to setkey.conf

```
spdadd 4.3.2.1/32 1.2.3.4/32 any -P out ipsec esp/tunnel/4.3.2.1-1.2.3.4/require;
spdadd 1.2.3.4/32 4.3.2.1/32 any -P out ipsec esp/tunnel/1.2.3.4-4.3.2.1/require;
```

Than I restarted ispec and racoon and now I can see:
On gif interface there are ICMP echo request as before, BUT
on external interface fxp0, there are ESP packets from 4.3.2.1 to 1.2.3.4
it means.. there are my ICMP echo requests in ESP packets.
I cant get ANY answer.


I've phoned to the admin of checkpoint to check logs and he sent me this picture as reason why it is not working:




(http://fefo.valec.net/log-modified.png)

The reason he told me was: "t gets dropped, it looks like its trying to use some weird ipencap protocol:"



I really don't know what I am doing wrong, could somebody explain me maybe what the ipencap protocol is, how could I change the behaviour of my VPN to get it working(maybe not using ipencap).
I really don't know where is the problem.

Any idea, suggestions ? whatever. I have to fix it ASAP.

Thanks in advance,

Martin Baumann


----------



## ohauer (Jan 31, 2010)

Hi,

I feel the CP is right ...

take a look into these docs.

http://www.freebsd.org/doc/en/books/handbook/ipsec.html
http://www.freebsd.org/doc/de/books/handbook/ipsec.html

I guess the german page is a little older but It explains a litte bit more (depending on your racoon version)


----------

