# Traffic ignore security policies for SA in IPSec site-to-site connection



## NutipA (Jun 1, 2011)

I need to establish IPSec site-to-site connection between two offices as it shown below:

               LAN1 (192.168.1.0/24)
                          |
FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPTP(X.X.X.X)
                          |
                          |
                       internet
                          |
                          |
ZyXEL ZyWALL USG50 (192.168.10.1) + NAT over PPTP (Y.Y.Y.Y)
                          |
               LAN2 (192.168.10.0/24)

The VPN-connection has been established. All traffic between two VPN-gateways with global addresses X.X.X.X and Y.Y.Y.Y has been sucessfully encapsulated and encrypted. I see this traffic as packets with ESP headers in my sniffer. Then I added static routes to each LAN. But when I ping ZyXEL private address from my computer (192.168.1.102) I see the next output in tcpdump on FreeBSD gateway:


```
19:33:42.506971 IP X.X.X.X > Y.Y.Y.Y : IP 192.168.1.102 > 192.168.10.1: ICMP echo request, id 13941, seq 4, length 64 (ipip-proto-4)
```

Traffic hasn't been encrypted and there is one instead of two stages of encapsulation (i can see the type of packet)! IP-packets ignore security policies for SA:


```
192.168.10.0/24[any] 192.168.1.0/24[any] any
        in ipsec
        esp/tunnel/Y.Y.Y.Y-X.X.X.X/use
        spid=6 seq=1 pid=23533
        refcnt=1
192.168.1.0/24[any] 192.168.10.0/24[any] any
        out ipsec
        esp/tunnel/X.X.X.X-Y.Y.Y.Y/use
        spid=5 seq=0 pid=23533
        refcnt=1
```

Please help me to solve this problem. As IPSec SA is one-way logical connection ZyXEL configuration can be ommited. As I understand, the traffic from client machines at least in the direction LAN1->LAN2 should look like this:

```
21:34:16.486698 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0x043488c2,seq=0x66), length 116
```

Output of commands and configs:


```
[19]root@beta:/home/NutipA# cat /usr/local/etc/racoon/setkey.conf
flush;
spdflush;
# To the second office network
spdadd 192.168.1.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/use;
spdadd 192.168.10.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/use;
```



```
[19]root@beta:/home/NutipA# cat /usr/local/etc/racoon/racoon.conf
path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log     debug;  #log verbosity setting: set to 'notify' when testing and debugging is complete

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
#       natt_keepalive  15 sec;
        phase1          30 sec;
        phase2          15 sec;
}

listen  # address [port] that racoon will listening on
{
        isakmp          X.X.X.X [500];
        isakmp_natt     X.X.X.X [4500];
}

remote  Y.Y.Y.Y [500]
{
        exchange_mode   main,aggressive;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address X.X.X.X;
        peers_identifier        address Y.Y.Y.Y;
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
#       nat_traversal   off;
        generate_policy off;

                        proposal {
                                encryption_algorithm    3des;
                                hash_algorithm          md5;
                                authentication_method   pre_shared_key;
                                lifetime time           30 sec;
                                dh_group                1;
                        }
}

sainfo  (address 192.168.1.0/24 any address 192.168.10.0/24 any)    # address $network/$netmask $type address $network/$netmas
{                               # $network must be the two internal networks you are joining.
        pfs_group       1;
        lifetime        time    36000 sec;
        encryption_algorithm    3des,des;
        authentication_algorithm        hmac_md5,hmac_sha1;
        compression_algorithm   deflate;
}
```


```
[18]root@beta:/home/NutipA# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether 00:17:31:55:a6:07
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
<output ommitted>
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1400
        options=80000<LINKSTATE>
        inet X.X.X.X --> 81.25.33.1 netmask 0xffffffff 
        Opened by PID 32338
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet X.X.X.X --> Y.Y.Y.Y
        inet 192.168.1.2 --> 192.168.10.1 netmask 0xffffff00 
        options=1<ACCEPT_REV_ETHIP_VER>
```


```
[19]root@beta:/home/NutipA# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            Z.Z.Z.Z         UGS         0    74261   tun0
<output ommitted>
192.168.1.0/24     link#1             U           2  1097106    em0
192.168.1.2        link#1             UHS         0        0    lo0
192.168.10.0/24    192.168.10.1       UGS         0      549   gif0
192.168.10.1       link#8             UH          0     4230   gif0
```


```
[18]root@beta:/home/NutipA# cat /etc/rc.conf 
zfs_enable="YES"
hostname="beta"
ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0 -rxcsum -txcsum -tso"
sshd_enable="YES"
ifconfig_vr0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
dummynet_enable="YES"
firewall_type="/etc/firewall"
```


----------

