IPSec: can't connect to own public IP
Hello,
I have to use IPSec+racoon to connect to the LAN and to access the Internet. The configuration was provided to me and can't be significantly changed. Here is the file, that I use with setkey -f:
---------8<----------8<----------8<----------
spdflush;
spdadd 192.168.88.2/32 192.168.88.2/32 any -P in none;
spdadd 192.168.88.2/32 192.168.88.2/32 any -P out none;
spdadd 192.168.88.0/28 192.168.88.0/28 any -P in ipsec
ah/transport//require;
spdadd 192.168.88.0/28 192.168.88.0/28 any -P out ipsec
ah/transport//require;
spdadd 0.0.0.0/0 192.168.88.2/32 any -P in ipsec
esp/tunnel/192.168.88.3-192.168.88.2/require;
spdadd 192.168.88.2/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.88.2-192.168.88.3/require;
---------8<----------8<----------8<----------
If I set the esp/tunnel rules, I loose the accessibility of my local IP (192.168.88.2). The first two rules with "none" are done to avoid this behavior. But they are don't working. The reason is, to access own local LAN IP, the 127.0.0.1 as src will be used, and not the same local LAN IP.
---------8<----------8<----------8<----------
$ sudo tcpdump -ni lo0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
22:39:28.767656 IP 127.0.0.1 > 192.168.88.2: ICMP echo request, id 421, seq 0, length 64
22:39:29.767813 IP 127.0.0.1 > 192.168.88.2: ICMP echo request, id 421, seq 1, length 64
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
---------8<----------8<----------8<----------
The problem looks like, the racoon can't negotiate a keys with yourself, or something like this. I tryed to configure "in/out none" rules using 127.0.0.1, but without a success.
Could me somebody say, what schould I change in this configuration to get it working? It's really uncomfortable. Any other Unix which I tryed with this configuration talks to public LAN interface with the same public LAN IP and have no problem. I can report it as working for Solaris 10, Linux (2.6.xx) and FreeBSD (5.3 and 6.2).
I see two possible solutions: (1) turn the system to speak with own IP with the same src IP; (2) develop "in/out none" rules to avoid encryption for local communication. What coul be really done?
Any help is very appretiate!
rgds
Vladi
I have to use IPSec+racoon to connect to the LAN and to access the Internet. The configuration was provided to me and can't be significantly changed. Here is the file, that I use with setkey -f:
---------8<----------8<----------8<----------
spdflush;
spdadd 192.168.88.2/32 192.168.88.2/32 any -P in none;
spdadd 192.168.88.2/32 192.168.88.2/32 any -P out none;
spdadd 192.168.88.0/28 192.168.88.0/28 any -P in ipsec
ah/transport//require;
spdadd 192.168.88.0/28 192.168.88.0/28 any -P out ipsec
ah/transport//require;
spdadd 0.0.0.0/0 192.168.88.2/32 any -P in ipsec
esp/tunnel/192.168.88.3-192.168.88.2/require;
spdadd 192.168.88.2/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.88.2-192.168.88.3/require;
---------8<----------8<----------8<----------
If I set the esp/tunnel rules, I loose the accessibility of my local IP (192.168.88.2). The first two rules with "none" are done to avoid this behavior. But they are don't working. The reason is, to access own local LAN IP, the 127.0.0.1 as src will be used, and not the same local LAN IP.
---------8<----------8<----------8<----------
$ sudo tcpdump -ni lo0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
22:39:28.767656 IP 127.0.0.1 > 192.168.88.2: ICMP echo request, id 421, seq 0, length 64
22:39:29.767813 IP 127.0.0.1 > 192.168.88.2: ICMP echo request, id 421, seq 1, length 64
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
---------8<----------8<----------8<----------
The problem looks like, the racoon can't negotiate a keys with yourself, or something like this. I tryed to configure "in/out none" rules using 127.0.0.1, but without a success.
Could me somebody say, what schould I change in this configuration to get it working? It's really uncomfortable. Any other Unix which I tryed with this configuration talks to public LAN interface with the same public LAN IP and have no problem. I can report it as working for Solaris 10, Linux (2.6.xx) and FreeBSD (5.3 and 6.2).
I see two possible solutions: (1) turn the system to speak with own IP with the same src IP; (2) develop "in/out none" rules to avoid encryption for local communication. What coul be really done?
Any help is very appretiate!
rgds
Vladi
mini PPC, Mac OS X (10.4.11)
