[c-nsp] freeswan + pix possible routing problem

Horváth Szabolcs Szabolcs.Horvath at integris.hu
Tue Jun 7 08:35:13 EDT 2005 

Hello,

 

We're trying to setup a freeswan<->pix vpn connection in our test lab.

 

000 "bb":
10.240.2.0/24===10.240.7.1---10.240.7.2...10.240.8.2===10.240.9.0/24;
erouted; eroute owner: #2

000 "bb":   newest ISAKMP SA: #3; newest IPsec SA: #2;

000

000 #3: "bb" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 447s; newest ISAKMP

000 #2: "bb" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 25904s; newest IPSEC; eroute owner

000 #2: "bb" used 30s ago; esp.b6d27588 at 10.240.8.2 esp.f99b3f6b at 10.240.7.1
tun.1002 at 10.240.8.2 tun.1001 at 10.240.7.1

 

The connection is alive, the above output is from FreeSwan (10.240.7.1).

 

The participiants:

10.240.2.0/24: left subnet

10.240.7.1: FreeSwan

10.240.7.2 - 10.240.8.2: cisco 1601 series router

10.240.8.2: PIX 515

10.240.9.0/24: right subnet

 

When I'm trying to ping 10.240.2.5 to 10.240.9.5 through the VPN, the ping
sent, but the echo reply doesn't received.

On the pix I see (debug icmp trace):

1193: ICMP echo-request from inside:10.240.2.5 to 10.240.9.5 ID=29717
seq=2560 length=44

1194: ICMP echo-reply from outside:10.240.9.5 to 10.240.2.5 ID=29717
seq=2560 length=44

 

But the ethernet1 interface output counter (which mean the PIX send the
reply back to 10.240.2.5) doesn't grow.

I think the PIX doesn't know how to route back to 10.240.2.0/24. (But it is
impossible, because the VPN has been set up).

 

If I sniff the traffic, and I see the same thing: on the freeswan switchport
only the number of input packets is growing (echo-request), the output
packets doesn't change (echo-reply couldn't routed back). Why?

 

# show crypto isakmp sa

Total     : 1

Embryonic : 0

        dst               src        state     pending     created

      10.240.7.1       10.240.8.2    QM_IDLE         0           0

 

# show crypto ipsec sa

[...output cut...]

interface: inside

    Crypto map tag: mymap, local addr. 10.240.8.2

 

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer: 10.240.7.1:0

       local crypto endpt.: 10.240.8.2, remote crypto endpt.: 10.240.7.1

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

 

    local  ident (addr/mask/prot/port): (10.240.9.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.240.2.0/255.255.255.0/0/0)

   current_peer: 10.240.7.1:500

 

 

PIX configuration:

 

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list nofw permit ip any any

mtu outside 1500

mtu inside 1500

ip address outside 10.240.9.1 255.255.255.0  # the pix-vpnusers subnet

ip address inside 10.240.8.2 255.255.255.0    # the pix-router subnet

nat (inside) 0 access-list nofw

access-group nofw in interface outside

access-group nofw in interface inside

route inside 10.240.7.0 255.255.255.0 10.240.8.1 1

crypto ipsec transform-set 3des-sha1 esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address nofw

crypto map mymap 10 set peer 10.240.7.1

crypto map mymap 10 set transform-set 3des-sha1

crypto map mymap interface inside

isakmp enable inside

isakmp key ******** address 10.240.7.1 netmask 255.255.255.255 no-xauth
no-config-mode

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 1000

 

If you have any idea, please tell me.

Thank you very much.

 

 

Szabolcs Horvath

More information about the cisco-nsp mailing list