[nycbug-talk] openbsd ipsec issue

Peter Wright pete at nomadlogic.org
Tue Mar 9 13:15:27 EST 2010


On Mar 9, 2010, at 4:18 AM, Okan Demirmen wrote:

> On Mon 2010.03.08 at 23:25 -0800, Peter Wright wrote:
>> hey all - so i've been banging my head on this one for a bit and figured someone on @nycbug has a similar setup running.
>> 
>> i have two networks i am trying to connect via a ipsec tunnel using openbsd 4.6.  i have a simple /etc/ipsec.conf up, and a pretty simple pf config as well.  when i have everything up and running, i tcpdump my enc0 interface and see that when i ping one endpoints external interface traffic is flowing via enc0.  yet when i try to ping an ip an end-points internal network i get nothing on enc0 and no ping replies.  here's my setup:
> 
> [snip]
> 
>> NY ipsec.conf:
>> TSJ_EXT = "209.170.120.4"
>> TNY_EXT = "209.170.130.2"
>> TSJ_INT = "10.2.0.0/16"
>> TNY_INT = "10.1.0.0/16"
>> 
>> ike passive esp tunnel from $TNY_EXT to $TSJ_EXT \
>>        main auth hmac-sha1 enc aes group modp1024 \
>>        quick auth hmac-sha2-256 enc aes
>> 
>> ike passive esp tunnel from $TNY_INT to $TSJ_INT \
>>        peer $TSJ_EXT \
>>        main auth hmac-sha1 enc aes group modp1024 \
>>        quick auth hmac-sha2-256 enc aes
> 
> [snip]
> 
>> San Jose ipsec.conf:
>> TSJ_EXT = "209.170.120.4"
>> TNY_EXT = "209.170.130.2"
>> TSJ_INT = "10.2.0.0/16"
>> TNY_INT = "10.1.0.0/16"
>> 
>> ike active esp tunnel from $TSJ_EXT to $TNY_EXT \
>>        main auth hmac-sha1 enc aes group modp1024 \
>>        quick auth hmac-sha2-256 enc aes
>> 
>> ike active esp tunnel from $TSJ_INT to $TNY_INT \
>>        peer $TNY_EXT \
>>        main auth hmac-sha1 enc aes group modp1024 \
>>        quick auth hmac-sha2-256 enc aes
> 
> [snip] 
> 
>> i am able to bring the tunnel up, ipsecctl -s all verifies this on both end points, and running isakmpd -DALL=90 show's no errors on either end, and as i mentioned i'm seeing traffic traverse enc0 when i ping one end point's external IP from another.  but when i try to ping san jose's internal network from nyc for example i see nothing on enc0.
> 
> are you pinging the other side's internal network from the vpn endpoint
> itself, or from *behind* it.  if the former, then you'd be missing a
> flow (on both sides):
> 
> ike esp from egress to <other internal network> peer <peer>
> 

thanks okan, that did the trick.  dunno why i missed that - but cheers!

-pete


More information about the talk mailing list