# IPSec between Cisco router and FreeBSD in Azure cloud



## MixaSg (Sep 19, 2019)

Hi folks!
I would like to make a tunnel between the Cisco router and the FreeBSD host, but I can’t write the rules in ipsec.txt correctly.
My Cisco router is behind ASA firewall and have PAT rules for ports UDP:500, UDP:4500. I also have another working IPSec VTI tunnels on router.






My router config:


```
crypto keyring MyTo
  pre-shared-key address YYY.YYY.YYY.YYY key Megakey
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 20 periodic
crypto isakmp nat keepalive 20
crypto isakmp profile MyTo
   keyring MyTo
   match identity address YYY.YYY.YYY.YYY 255.255.255.255
   initiate mode aggressive
!
crypto ipsec transform-set MyNet esp-aes 256 esp-sha-hmac
!
!
crypto ipsec profile MyTo
set transform-set MyNet
set pfs group2
set isakmp-profile MyTo
!
!
interface Tunnel10
description --- To ---
ip address 10.255.200.5 255.255.255.252
tunnel source Vlan1
tunnel mode ipsec ipv4
tunnel destination YYY.YYY.YYY.YYY
tunnel protection ipsec profile MyTo
!
ip route 10.229.33.4 255.255.255.255 10.255.200.6
```

My FreeBSD config (current ipsec.txt content is a cry of despair)


```
/usr/local/etc/racoon/racoon.conf:

path pre_shared_key "/usr/local/etc/racoon/key.txt";
log notify;

listen {
        isakmp 10.229.33.4 [500];
        isakmp_natt 10.229.33.4 [4500];
}

remote XXX.XXX.XXX.XXX {
        exchange_mode aggressive,base,main;
        nat_traversal on;
        my_identifier address 23.100.43.215;
        peers_identifier address 10.255.200.2;
        lifetime time 86400 sec;
        generate_policy on;
        dpd_delay 25;
        proposal_check obey;    # obey, strict, or claim

        proposal {
                encryption_algorithm aes 256;
                authentication_method pre_shared_key;
                hash_algorithm sha1;
                dh_group 2;
        }
}

sainfo anonymous
{
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;
        pfs_group 2;
        compression_algorithm deflate;
}

cat /usr/local/etc/racoon/ipsec.conf

spdadd -4 10.229.33.4/32 10.229.33.0/24 any -P out none;
spdadd -4 10.229.33.0/24 10.229.33.4/32 any -P in none;
spdadd -4 10.255.200.6/32 10.255.1.0/24 any -P out ipsec esp/tunnel/10.229.33.4-XXX.XXX.XXX.XXX/unique;
spdadd -4 10.255.1.0/24 10.255.200.6/32 any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-10.229.33.4/unique;
```

IPSec is work fine, but I can't reach anyone except my internal network:


```
vpn#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
YYY.YYY.YYY.YYY   10.255.200.2    QM_IDLE           2081 ACTIVE

vpn#ping 10.229.33.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.33.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 208/208/208 ms
vpn#ping 10.255.200.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.255.200.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 208/208/208 ms
```

Why all packets from FreeBSD router in to tunnel?


```
[user@srv ~]$ netstat -arnf inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            10.229.33.1        UGS         hn0
10.229.33.0/24     link#2             U           hn0
10.229.33.4        link#2             UHS         lo0
10.255.0.0/16      10.255.200.5       UGS        gre0
10.255.200.5       link#3             UH         gre0
10.255.200.6       link#3             UHS         lo0
127.0.0.1          link#1             UH          lo0
168.63.129.16/32   10.229.33.1        UGS         hn0
169.254.169.254/32 10.229.33.1        UGS         hn0
```

Control access list on Cisco side of tunnel:


```
Sep 19 10:48:39: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.229.33.4 -> 114.33.74.20, 1 packet
Sep 19 10:48:41: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.229.33.4 -> 76.164.234.122, 1 packet
Sep 19 10:48:42: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.229.33.4 -> 220.134.214.57, 1 packet
Sep 19 10:48:44: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.229.33.4 -> 118.170.49.247, 1 packet
```


----------



## MixaSg (Sep 25, 2019)

I understand my trouble:

```
[root@srv/usr/local/etc/racoon]# racoonctl show-sa isakmp
Destination            Cookies                           Created
XXX.XXX.XXX.XXX.4500      ca6587371b812659:83f3eef3edad29f9 2019-09-25 14:46:49
[root@srv-west-usa-infra-01 /usr/local/etc/racoon]# racoonctl show-sa ipsec
10.229.33.4[4500] XXX.XXX.XXX.XXX[4500]
        esp-udp mode=tunnel spi=2171799256(0x817306d8) reqid=0(0x00000000)
        E: aes-cbc  c5373df6 2d3afa41 81014be7 eaec1e3a f8b0b999 5780a51e f980511a ba02de06
        A: hmac-sha1  fc6ec11d 616506a0 f5575e79 21965f54 61ba1a91
        seq=0x000000d7 replay=4 flags=0x00000000 state=mature
        created: Sep 25 14:46:49 2019   current: Sep 25 14:50:38 2019
        diff: 229(s)    hard: 3600(s)   soft: 2880(s)
        last: Sep 25 14:46:52 2019      hard: 0(s)      soft: 0(s)
        current: 41240(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 215  hard: 0 soft: 0
        sadb_seq=1 pid=30018 refcnt=1
XXX.XXX.XXX.XXX[4500] 10.229.33.4[4500]
        esp-udp mode=tunnel spi=154626754(0x09376ac2) reqid=0(0x00000000)
        E: aes-cbc  2adde052 f70f3d7c 74407227 f2e292eb 6c3fb441 b9006e00 c6e90b4f b1dc070e
        A: hmac-sha1  ee6a769d 6556ec7f f8c29680 9e1e58fe 8f97aa7d
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 25 14:46:49 2019   current: Sep 25 14:50:38 2019
        diff: 229(s)    hard: 3600(s)   soft: 2880(s)
        last: Sep 25 14:46:52 2019      hard: 0(s)      soft: 0(s)
        current: 17458(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 228  hard: 0 soft: 0
        sadb_seq=0 pid=30018 refcnt=1
[root@srv/usr/local/etc/racoon]# setkey -DP
XXX.XXX.XXX.XXX[any] 10.229.33.4[any] gre
        in ipsec
        esp/tunnel/XXX.XXX.XXX.XXX-10.229.33.4/unique#16394
        spid=1662 seq=3 pid=30088 scope=global
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/XXX.XXX.XXX.XXX-10.229.33.4/require
        created: Sep 25 14:46:49 2019  lastused: Sep 25 14:50:41 2019
        lifetime: 3600(s) validtime: 0(s)
        spid=1665 seq=2 pid=30088 scope=global
        refcnt=2
10.229.33.4[any] XXX.XXX.XXX.XXX[any] gre
        out ipsec
        esp/tunnel/10.229.33.4-XXX.XXX.XXX.XXX/unique#16393
        spid=1661 seq=1 pid=30088 scope=global
        refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
        out ipsec
        esp/tunnel/10.229.33.4-XXX.XXX.XXX.XXX/require
        created: Sep 25 14:46:49 2019  lastused: Sep 25 14:50:43 2019
        lifetime: 3600(s) validtime: 0(s)
        spid=1666 seq=0 pid=30088 scope=global
        refcnt=4
[root@srv/usr/local/etc/racoon]#
```

Racoon make SA as: 
	
	



```
0.0.0.0/0[any] 0.0.0.0/0[any] any
```
, because I use Cisco tunnel and have 
	
	



```
generate_policy on;
```
 in racoon.conf. And cisco have:


```
vpn#sh crypto ipsec sa
...
interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 10.255.200.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
...
```

Therefore, all traffic enters the tunnel. Does anyone know how to avoid this?


----------



## tpfiler (Oct 22, 2019)

MixaSg said:


> I understand my trouble:
> 
> ```
> [root@srv/usr/local/etc/racoon]# racoonctl show-sa isakmp
> ...


Have you tried split tunneling with routing policies?


----------

