[nycbug-talk] openbsd ipsec issue
Okan Demirmen
okan at demirmen.com
Tue Mar 9 07:18:47 EST 2010
On Mon 2010.03.08 at 23:25 -0800, Peter Wright wrote:
> hey all - so i've been banging my head on this one for a bit and figured someone on @nycbug has a similar setup running.
>
> i have two networks i am trying to connect via a ipsec tunnel using openbsd 4.6. i have a simple /etc/ipsec.conf up, and a pretty simple pf config as well. when i have everything up and running, i tcpdump my enc0 interface and see that when i ping one endpoints external interface traffic is flowing via enc0. yet when i try to ping an ip an end-points internal network i get nothing on enc0 and no ping replies. here's my setup:
[snip]
> NY ipsec.conf:
> TSJ_EXT = "209.170.120.4"
> TNY_EXT = "209.170.130.2"
> TSJ_INT = "10.2.0.0/16"
> TNY_INT = "10.1.0.0/16"
>
> ike passive esp tunnel from $TNY_EXT to $TSJ_EXT \
> main auth hmac-sha1 enc aes group modp1024 \
> quick auth hmac-sha2-256 enc aes
>
> ike passive esp tunnel from $TNY_INT to $TSJ_INT \
> peer $TSJ_EXT \
> main auth hmac-sha1 enc aes group modp1024 \
> quick auth hmac-sha2-256 enc aes
[snip]
> San Jose ipsec.conf:
> TSJ_EXT = "209.170.120.4"
> TNY_EXT = "209.170.130.2"
> TSJ_INT = "10.2.0.0/16"
> TNY_INT = "10.1.0.0/16"
>
> ike active esp tunnel from $TSJ_EXT to $TNY_EXT \
> main auth hmac-sha1 enc aes group modp1024 \
> quick auth hmac-sha2-256 enc aes
>
> ike active esp tunnel from $TSJ_INT to $TNY_INT \
> peer $TNY_EXT \
> main auth hmac-sha1 enc aes group modp1024 \
> quick auth hmac-sha2-256 enc aes
[snip]
> i am able to bring the tunnel up, ipsecctl -s all verifies this on both end points, and running isakmpd -DALL=90 show's no errors on either end, and as i mentioned i'm seeing traffic traverse enc0 when i ping one end point's external IP from another. but when i try to ping san jose's internal network from nyc for example i see nothing on enc0.
are you pinging the other side's internal network from the vpn endpoint
itself, or from *behind* it. if the former, then you'd be missing a
flow (on both sides):
ike esp from egress to <other internal network> peer <peer>
cheers,
okan
More information about the talk
mailing list