2 Replies Latest reply: Jan 16, 2008 4:05 AM by Vladi220
Vladi220 Level 1 Level 1 (0 points)
Hello,

I have to use IPSec+racoon to connect to the LAN and to access the Internet. The configuration was provided to me and can't be significantly changed. Here is the file, that I use with setkey -f:

---------8<----------8<----------8<----------
spdflush;

spdadd 192.168.88.2/32 192.168.88.2/32 any -P in none;
spdadd 192.168.88.2/32 192.168.88.2/32 any -P out none;

spdadd 192.168.88.0/28 192.168.88.0/28 any -P in ipsec
ah/transport//require;
spdadd 192.168.88.0/28 192.168.88.0/28 any -P out ipsec
ah/transport//require;

spdadd 0.0.0.0/0 192.168.88.2/32 any -P in ipsec
esp/tunnel/192.168.88.3-192.168.88.2/require;
spdadd 192.168.88.2/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.88.2-192.168.88.3/require;
---------8<----------8<----------8<----------

If I set the esp/tunnel rules, I loose the accessibility of my local IP (192.168.88.2). The first two rules with "none" are done to avoid this behavior. But they are don't working. The reason is, to access own local LAN IP, the 127.0.0.1 as src will be used, and not the same local LAN IP.

---------8<----------8<----------8<----------
$ sudo tcpdump -ni lo0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
22:39:28.767656 IP 127.0.0.1 > 192.168.88.2: ICMP echo request, id 421, seq 0, length 64
22:39:29.767813 IP 127.0.0.1 > 192.168.88.2: ICMP echo request, id 421, seq 1, length 64
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
---------8<----------8<----------8<----------

The problem looks like, the racoon can't negotiate a keys with yourself, or something like this. I tryed to configure "in/out none" rules using 127.0.0.1, but without a success.

Could me somebody say, what schould I change in this configuration to get it working? It's really uncomfortable. Any other Unix which I tryed with this configuration talks to public LAN interface with the same public LAN IP and have no problem. I can report it as working for Solaris 10, Linux (2.6.xx) and FreeBSD (5.3 and 6.2).

I see two possible solutions: (1) turn the system to speak with own IP with the same src IP; (2) develop "in/out none" rules to avoid encryption for local communication. What coul be really done?

Any help is very appretiate!

rgds
Vladi

mini PPC, Mac OS X (10.4.11)
  • 1. Re: IPSec: can't connect to own public IP
    BDAqua Level 10 Level 10 (116,470 points)
    Hi Vladi, and Welcome to the Discussions!

    Not certain I can be of any help with this, but there are many here that can help I'm certain.

    Might see if this link steers you to a solution...

    http://docs.info.apple.com/article.html?artnum=107800
  • 2. Re: IPSec: can't connect to own public IP
    Vladi220 Level 1 Level 1 (0 points)
    Tank you, BDAqua,

    described problem is not really a name resolution problem. I hope to find a real solution (use same src/dst IP for local communication). I think, it could be a sysctl parameter, bu I didn't find good documentation for it. A workaround for "in/out none" could be very interesting too.

    The other idea was, it's probably a routing issue. If the local IP will be routetd through a public LAN interface and not through a loopback, the LAN IP as src probably will be used.

    rgds
    Vladi