[nycbug-talk] openbsd ipsec issue

Okan Demirmen okan at demirmen.com
Tue Mar 9 07:18:47 EST 2010 

On Mon 2010.03.08 at 23:25 -0800, Peter Wright wrote:
> hey all - so i've been banging my head on this one for a bit and figured someone on @nycbug has a similar setup running.
> 
> i have two networks i am trying to connect via a ipsec tunnel using openbsd 4.6.  i have a simple /etc/ipsec.conf up, and a pretty simple pf config as well.  when i have everything up and running, i tcpdump my enc0 interface and see that when i ping one endpoints external interface traffic is flowing via enc0.  yet when i try to ping an ip an end-points internal network i get nothing on enc0 and no ping replies.  here's my setup:

[snip]

> NY ipsec.conf:
> TSJ_EXT = "209.170.120.4"
> TNY_EXT = "209.170.130.2"
> TSJ_INT = "10.2.0.0/16"
> TNY_INT = "10.1.0.0/16"
> 
> ike passive esp tunnel from $TNY_EXT to $TSJ_EXT \
>         main auth hmac-sha1 enc aes group modp1024 \
>         quick auth hmac-sha2-256 enc aes
> 
> ike passive esp tunnel from $TNY_INT to $TSJ_INT \
>         peer $TSJ_EXT \
>         main auth hmac-sha1 enc aes group modp1024 \
>         quick auth hmac-sha2-256 enc aes

[snip]

> San Jose ipsec.conf:
> TSJ_EXT = "209.170.120.4"
> TNY_EXT = "209.170.130.2"
> TSJ_INT = "10.2.0.0/16"
> TNY_INT = "10.1.0.0/16"
> 
> ike active esp tunnel from $TSJ_EXT to $TNY_EXT \
>         main auth hmac-sha1 enc aes group modp1024 \
>         quick auth hmac-sha2-256 enc aes
> 
> ike active esp tunnel from $TSJ_INT to $TNY_INT \
>         peer $TNY_EXT \
>         main auth hmac-sha1 enc aes group modp1024 \
>         quick auth hmac-sha2-256 enc aes

[snip] 
 
> i am able to bring the tunnel up, ipsecctl -s all verifies this on both end points, and running isakmpd -DALL=90 show's no errors on either end, and as i mentioned i'm seeing traffic traverse enc0 when i ping one end point's external IP from another.  but when i try to ping san jose's internal network from nyc for example i see nothing on enc0.

are you pinging the other side's internal network from the vpn endpoint
itself, or from *behind* it.  if the former, then you'd be missing a
flow (on both sides):

ike esp from egress to <other internal network> peer <peer>

cheers,
okan

More information about the talk mailing list