Hi misc@,
I'm trying to understand why my IPSec tunnel not functioning as expected and
especially
why packets start flow as soon as I start to ping from the opposite side.
Hopefully someone can explain what is going on and why.
Following setup:
Network Home(1.1.1.0/25) connecting to the network office(2.2.2.0/21) via an
IPSec tunnel.
Gw at Home-side is an OpenBSD 4.9-stable. Gw at Office OpenBSD 5.0-current in
a CARP(failover) setup.
gw at home IP: 10.1.1.1
gw at office IP: 20.1.1.1(CARP iface. gw1: 20.1.1.2 gw2: 20.1.1.3)
CARP, eg. failover part, is working fine.
Following iked.conf I have.
Home gw:
local_gw="10.1.1.1"
remote_gw="20.1.1.1"
ikev2 "homeNET_to_officeNET" active esp \
from $local_gw to $remote_gw \
from 1.1.1.0/25 to 2.2.2.0/21 \
local $local_gw peer $remote_gw \
srcid $local_gw \
dstid $remote_gw
Office gw:
local_gw="20.1.1.1"
remote_gw="10.1.1.1"
ikev2 "officeNET_to_homeNET" passive esp \
from $local_gw to $remote_gw \
from 2.2.2.0/21 to 1.1.1.0/25 \
local $local_gw peer $remote_gw \
srcid $local_gw \
dstid $remote_gw
Tunnel gets established.
On office-gw I see
sa_state: VALID -> ESTABLISHED from 10.1.1.1:500 to 20.1.1.2:500 policy
'officeNET_to_homeNET'
Note, that the IP-address is actually not one on CARP iface, but rather from
physical iface.
ipsecctl -s all gives:
FLOWS:
flow esp in from 10.1.1.1 to 20.1.1.1 peer 10.1.1.1 srcid IPV4/20.1.1.1 dstid
IPV4/10.1.1.1 type use
flow esp out from 20.1.1.1 to 10.1.1.1 peer 10.1.1.1 srcid IPV4/20.1.1.1 dstid
IPV4/10.1.1.1 type require
flow esp in from 1.1.1.0/25 to 2.2.2.0/21 peer 10.1.1.1 srcid IPV4/20.1.1.1
dstid IPV4/10.1.1.1 type use
flow esp out from 2.2.2.0/21 to 1.1.1.0/25 peer 10.1.1.1 srcid IPV4/20.1.1.1
dstid IPV4/10.1.1.1 type require
SAD:
---> esp tunnel from 20.1.1.2 to 10.1.1.1 spi 0x2d2a6151 auth hmac-sha2-256
enc aes-256
esp tunnel from 10.1.1.1 to 20.1.1.2 spi 0x5152256e auth hmac-sha2-256 enc
aes-256
On home-gw I see
sa_state: VALID -> ESTABLISHED from 20.1.1.1:57185 to 10.1.1.1:500 policy
'policy1'
ipsecctl -s all gives:
FLOWS:
flow esp in from 2.2.2.0/21 to 1.1.1.0/25 peer 20.1.1.1 srcid IPV4/10.1.1.1
dstid IPV4/20.1.1.1 type use
flow esp out from 1.1.1.0/25 to 2.2.2.0/21 peer 20.1.1.1 srcid IPV4/10.1.1.1
dstid IPV4/20.1.1.1 type require
flow esp in from 20.1.1.1 to 10.1.1.1 peer 20.1.1.1 srcid IPV4/10.1.1.1 dstid
IPV4/20.1.1.1 type use
flow esp out from 10.1.1.1 to 20.1.1.1 peer 20.1.1.1 srcid IPV4/10.1.1.1 dstid
IPV4/20.1.1.1 type require
SAD:
esp tunnel from 20.1.1.1 to 10.1.1.1 spi 0x2d2a6151 auth hmac-sha2-256 enc
aes-256
esp tunnel from 10.1.1.1 to 20.1.1.1 spi 0x5152256e auth hmac-sha2-256 enc
aes-256
The problem is that I can not ping Office-net from Home-net then tunnel is
established.
I can see packets on enc0 going from Home-net to Office-net while I'm watching
on Home-gw, but nothing on enc0 on the Office-side.
This is the state for tunnel until I start a ping from some machine on
Office-side, then suddenly tunnel functioning correctly
and I can ping internal machines from both sides and connect(ssh) from both
sides.
Question is why this strange behavior? I tried to switch from passive to
active on the Office-gw with the same result.
Or does it have to do with the CARP? PF rules are as they are described in the
iked.conf manual.
Anyone have an idea what is going on?
Regards,
Maxim
