[nycbug-talk] openbsd ipsec issue

Peter Wright pete at nomadlogic.org
Tue Mar 9 02:25:38 EST 2010 

hey all - so i've been banging my head on this one for a bit and figured someone on @nycbug has a similar setup running.

i have two networks i am trying to connect via a ipsec tunnel using openbsd 4.6.  i have a simple /etc/ipsec.conf up, and a pretty simple pf config as well.  when i have everything up and running, i tcpdump my enc0 interface and see that when i ping one endpoints external interface traffic is flowing via enc0.  yet when i try to ping an ip an end-points internal network i get nothing on enc0 and no ping replies.  here's my setup:

---

NY ipsec.conf:
TSJ_EXT = "209.170.120.4"
TNY_EXT = "209.170.130.2"
TSJ_INT = "10.2.0.0/16"
TNY_INT = "10.1.0.0/16"

ike passive esp tunnel from $TNY_EXT to $TSJ_EXT \
        main auth hmac-sha1 enc aes group modp1024 \
        quick auth hmac-sha2-256 enc aes

ike passive esp tunnel from $TNY_INT to $TSJ_INT \
        peer $TSJ_EXT \
        main auth hmac-sha1 enc aes group modp1024 \
        quick auth hmac-sha2-256 enc aes

NY pf.conf:
# macros
int_if = "bge0"
ext_if = "bge1"
icmp_types = "{ echorep, echoreq, timex, unreach }"
#  Define Each Sites int/ext interfaces
TSJ_EXT = "209.170.120.4"
TNY_EXT = "209.170.130.2"
TSJ_INT = "10.2.0.0/16"
TNY_INT = "10.1.0.0/16"

# filter rules
#block in log on { enc0, $ext_if } all
#block out on { enc0, $ext_if } all

pass quick on lo0 all

pass in on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state
pass out on $ext_if proto { udp, icmp } all keep state

## VPN ##
# Passing in encrypted traffic from security gateways
pass in on $ext_if proto esp from $TSJ_EXT to $TNY_EXT
pass out on $ext_if proto esp from $TNY_EXT to $TSJ_EXT

# Passing in isakmpd(8) traffic from the security gateways
pass in on $ext_if proto udp from $TSJ_EXT to $TNY_EXT port { 500, 4500 }
pass out on $ext_if proto udp from $TNY_EXT to $TSJ_EXT port {500, 4500 }

# IP-in-IP traffic flowing b/w gateways via enc0
pass in on enc0 proto ipencap from $TSJ_EXT to $TNY_EXT keep state (if-bound)

# pass traffic on enc0
pass in on enc0 from $TSJ_INT to $TNY_INT keep state (if-bound)
pass out on enc0 from $TNY_INT to $TSJ_INT keep state (if-bound)


===========================

San Jose ipsec.conf:
TSJ_EXT = "209.170.120.4"
TNY_EXT = "209.170.130.2"
TSJ_INT = "10.2.0.0/16"
TNY_INT = "10.1.0.0/16"

ike active esp tunnel from $TSJ_EXT to $TNY_EXT \
        main auth hmac-sha1 enc aes group modp1024 \
        quick auth hmac-sha2-256 enc aes

ike active esp tunnel from $TSJ_INT to $TNY_INT \
        peer $TNY_EXT \
        main auth hmac-sha1 enc aes group modp1024 \
        quick auth hmac-sha2-256 enc aes


San Jose pf.conf:
# macros
int_if = "bge0"
ext_if = "bge1"
icmp_types = "{ echorep, echoreq, timex, unreach }"
#  Define Each Sites int/ext interfaces
TSJ_EXT = "209.170.120.4"
TNY_EXT = "209.170.130.2"
TSJ_INT = "10.2.0.0/16"
TNY_INT = "10.1.0.0/16"


# filter rules
#block in log on { enc0, $ext_if } all
#block out on { enc0, $ext_if } all

pass quick on lo0 all

pass in on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state
pass out on $ext_if proto { udp, icmp } all keep state

### VPN ###
# Passing in encrypted traffic from security gateways
pass in on $ext_if proto esp from $TNY_EXT to $TSJ_EXT
pass out quick on $ext_if proto esp from $TSJ_EXT to $TNY_EXT

# Passing in isakmpd(8) traffic from the security gateways
pass in on $ext_if proto udp from $TNY_EXT to $TSJ_EXT port { 500, 4500 }
pass out on $ext_if proto udp from $TSJ_EXT to $TNY_EXT port { 500, 4500 }

# IP-in-IP traffic flowing b/w gateways via enc0
pass in on enc0 proto ipencap from $TNY_EXT to $TSJ_EXT keep state (if-bound)

# pass traffic on enc0
pass in on enc0 from $TNY_INT to $TSJ_INT keep state (if-bound)
pass out on enc0 from $TSJ_INT to $TNY_INT keep state (if-bound)


-----


i am able to bring the tunnel up, ipsecctl -s all verifies this on both end points, and running isakmpd -DALL=90 show's no errors on either end, and as i mentioned i'm seeing traffic traverse enc0 when i ping one end point's external IP from another.  but when i try to ping san jose's internal network from nyc for example i see nothing on enc0.

i reckon i'm missing something super simple here, but any pointers or tips would be appreciated!

thx!
-pete

More information about the talk mailing list