# IPsec Tunnel/Routing Problem



## butzke (Dec 26, 2013)

Hello everyone,

I am having what I believe is a routing issue when trying to route traffic across an IPsec tunnel. The system is running FreeBSD 9.1-STABLE, PF firewall and ipsec-tools-0.8.0_3. The tunnel in question is to a vendor that is running a Palo Alto device and I do not have any control of their end of the tunnel. The purpose of the tunnel is to reach a number of web servers on their private network. The particulars are as follows:


Vendor Private Net - 172.16.1.0/24
Out Private Net - 10.29.161.0/24
Vendor requires us to NAT all traffic to a single IP - 10.29.161.254

I am able to establish the VPN tunnel; both phase 1 and phase 2 complete without errors and the vendor sees the tunnel up on their end. I am able to pass traffic on port 80 from the firewall to their web servers, but I am not able to reach their web servers from any of the computers on our network. 

Relevant sysctl nobs:

```
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet.ipsec.filtertunnel: 1
```

setkey.conf:

```
flush;
spdflush;
spdadd 10.29.161.254/32 172.16.1.0/24 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 172.16.1.0/24 10.29.161.235/32 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
```

racoon.conf:

```
path    pre_shared_key  "/usr/local/etc/racoon/psk.txt";
log     notify;

padding
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer
{
        counter         5;
        interval        20 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;
}

listen
{
        isakmp          1.1.1.1 [500];
}

remote 2.2.2.2 [500]
{
        exchange_mode   main;
        my_identifier   address 1.1.1.1;
        peers_identifier        address 2.2.2.2;
        passive         off;
        initial_contact on;
        proposal_check  obey;
        support_proxy on;
        nat_traversal   off;
        generate_policy off;

                        proposal {
                                encryption_algorithm    3des;
                                hash_algorithm          sha1;
                                authentication_method   pre_shared_key;
                                dh_group                2;
                                lifetime time           24 hour;
                        }
}

sainfo  (address 10.29.161.254/32 any address 172.16.1.0/24 any)
{
        lifetime        time    1 hour;
        encryption_algorithm    3des;
        authentication_algorithm        hmac_sha1;
        compression_algorithm   deflate;
}
```

gif0 interface:

```
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 1.1.1.1 --> 2.2.2.2
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        options=1<ACCEPT_REV_ETHIP_VER>
```

`netstat -rn`

```
Routing tables

Internet:
Destination         Gateway            Flags    Refs      Use  Netif Expire
default             1.1.1.1        UGS       256 78569709   bce0
10.29.161.0/24     link#2             U           1   153006   bce1
10.29.161.1        link#2             UHS         0    20020    lo0
10.29.161.254      link#16            UHS         0        0    lo0
10.29.161.254/32   link#16            UHS         0        1    lo0
10.29.162.2        link#17            UHS         0  2084720    lo0 =>
10.29.162.2/32     link#17            U           0        0   tap1
1.1.1.1/30         link#1             U           0        3   bce0
1.1.1.1            link#1             UHS         0        0    lo0
172.16.1.0/24      10.29.161.254      US          0        0   bce2
63.93.193.0/24     10.29.161.185      UGS         0        0  bce2
63.124.67.0/24     10.29.161.185      UGS         0        0  bce2
127.0.0.1          link#11            UH          0     1265    lo0
```

pf.conf (a*b*breviated):

```
ExtIf="bce0"
IntIf="bce1"
TunIf="gif0"

set skip on { lo0, gif0 }

nat on $ExtIf from $IntIf:network to any -> $ExtIf
nat on $IntIf from $IntIf:network to 172.16.1.0/24 -> 10.29.161.254

pass in log on $IntIf inet proto tcp
pass in log on $IntIf inet proto { udp, icmp }
```

Something that I have discovered which is interesting: I am not able to pass traffic on gif0 unless it is skipped in pf.conf as shown above. 

To sum up, no traffic on the 10.29.161.0/24 network can reach the web servers across the VPN tunnel on the 172.16.1.0/24 network. The firewall on the other hand can reach the web servers across the tunnel. I am at a loss and am not sure what to try next. Any assistance is greatly appreciated.

Thanks.


----------

