Hi @misc,
I am facing an issue between two boxes (box1 and box2) connected
through an IPsec tunnel.
They are both on the same subnet and both listen on port 22 (sshd running)
When the ipsec tunnel is down and encap routes are flushed on both
boxes (ipsecctl -F), performing a "telnet ip_of_box1 22" on box1 works
fine. Same on box2.
However, when the ipsec tunnel is up, performing the same telnet
command on box1 will just time out. Same timeout on box2. Reaching
box1 from box2 and vice versa is not a problem.
I am not sure to understand why I can't reach the local IP address
when the tunnel is up.
Any hint would be much appreciated,
Below some config / output (both are running 5.5 current i386
GENERIC.MP but I did reproduce the "problem" with exactly the same
config on 5.4 release GENERIC.MP i386 on both boxes) and the two last
commands showing the time out when performing the telnet.
Cheers,
Josh
================
box1:~# cat /etc/hostname.em0
dhcp
box2:~# cat /etc/hostname.em0
dhcp
box1:~# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 08:00:27:db:76:6f
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::a00:27ff:fedb:766f%em0 prefixlen 64 scopeid 0x1
inet 192.168.150.16 netmask 0xffffff00 broadcast 192.168.150.255
box2:~# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 08:00:27:a3:85:3a
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::a00:27ff:fea3:853a%em0 prefixlen 64 scopeid 0x1
inet 192.168.150.13 netmask 0xffffff00 broadcast 192.168.150.255
box1:~# pfctl -d
pfctl: pf not enabled
box2:~# pfctl -d
pfctl: pf not enabled
box1:~# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.150.254 UGS 4 843047 - 8 em0
127/8 127.0.0.1 UGRS 0 0 33192 8 lo0
127.0.0.1 127.0.0.1 UH 1 33 33192 4 lo0
192.168.150/24 link#1 UC 3 0 - 4 em0
192.168.150.1 10:dd:b1:99:a0:d7 UHLc 1 42048 - 4 em0
192.168.150.13 08:00:27:a3:85:3a UHLc 0 14 - 4 em0
192.168.150.254 00:00:24:ce:84:bc UHLc 1 393 - 4 em0
224/4 127.0.0.1 URS 0 0 33192 8 lo0
box2:~# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.150.254 UGS 4 909362 - 8 em0
127/8 127.0.0.1 UGRS 0 0 33192 8 lo0
127.0.0.1 127.0.0.1 UH 1 115 33192 4 lo0
192.168.150/24 link#1 UC 3 0 - 4 em0
192.168.150.13 08:00:27:a3:85:3a UHLc 0 18 - 4 lo0
192.168.150.16 08:00:27:db:76:6f UHLc 0 22 - 4 em0
192.168.150.254 00:00:24:ce:84:bc UHLc 1 1005 - 4 em0
224/4 127.0.0.1 URS 0 0 33192 8 lo0
box1:~# cat /etc/iked.conf
ikev2 passive esp from 192.168.150.16 to 192.168.150.13 peer
192.168.150.13 psk "tesT"
box2:~# cat /etc/iked.conf
ikev2 active esp from 192.168.150.13 to 192.168.150.16 peer
192.168.150.16 psk "tesT"
box1:~# ipsecctl -sa
FLOWS:
No flows
SAD:
No entries
box2:~# ipsecctl -sa
FLOWS:
No flows
SAD:
No entries
box1:~# telnet 192.168.150.16 22
Trying 192.168.150.16...
Connected to 192.168.150.16.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.5
^C
Connection closed by foreign host.
box2:~# telnet 192.168.150.13 22
Trying 192.168.150.13...
Connected to 192.168.150.13.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.5
^C
Connection closed by foreign host.
box1:~# iked -6dv
ikev2 "policy1" passive esp inet from 192.168.150.16 to 192.168.150.13
local any peer 192.168.150.13 ikesa enc aes-256,aes-192,aes-128,3des
prf hmac-sha2-256,hmac-sha1,hmac-md5 auth
hmac-sha2-256,hmac-sha1,hmac-md5 group
modp2048-256,modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800
bytes 536870912 psk 0x74657354
ikev2_recv: IKE_SA_INIT from initiator 192.168.150.13:500 to
192.168.150.16:500 policy 'policy1' id 0, 520 bytes
ikev2_msg_send: IKE_SA_INIT from 192.168.150.16:500 to
192.168.150.13:500, 432 bytes
ikev2_recv: IKE_AUTH from initiator 192.168.150.13:500 to
192.168.150.16:500 policy 'policy1' id 1, 272 bytes
ikev2_msg_send: IKE_AUTH from 192.168.150.16:500 to
192.168.150.13:500, 240 bytes
sa_state: VALID -> ESTABLISHED from 192.168.150.13:500 to
192.168.150.16:500 policy 'policy1'
box2:~# iked -6dv
ikev2 "policy1" active esp inet from 192.168.150.13 to 192.168.150.16
local any peer 192.168.150.16 ikesa enc aes-256,aes-192,aes-128,3des
prf hmac-sha2-256,hmac-sha1,hmac-md5 auth
hmac-sha2-256,hmac-sha1,hmac-md5 group
modp2048-256,modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800
bytes 536870912 psk 0x74657354
ikev2_msg_send: IKE_SA_INIT from 0.0.0.0:500 to 192.168.150.16:500, 520 bytes
ikev2_recv: IKE_SA_INIT from responder 192.168.150.16:500 to
192.168.150.13:500 policy 'policy1' id 0, 432 bytes
ikev2_msg_send: IKE_AUTH from 192.168.150.13:500 to
192.168.150.16:500, 272 bytes
ikev2_recv: IKE_AUTH from responder 192.168.150.16:500 to
192.168.150.13:500 policy 'policy1' id 1, 240 bytes
sa_state: VALID -> ESTABLISHED from 192.168.150.16:500 to
192.168.150.13:500 policy 'policy1'
box1:~# ipsecctl -sa
FLOWS:
flow esp in from 192.168.150.13 to 192.168.150.16 peer 192.168.150.13
srcid FQDN/box1.my.domain dstid FQDN/box2.my.domain type use
flow esp out from 192.168.150.16 to 192.168.150.13 peer 192.168.150.13
srcid FQDN/box1.my.domain dstid FQDN/box2.my.domain type require
SAD:
esp tunnel from 192.168.150.13 to 192.168.150.16 spi 0x3dc44a24 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.150.16 to 192.168.150.13 spi 0x3de19a41 auth
hmac-sha2-256 enc aes-256
box2:~# ipsecctl -sa
FLOWS:
flow esp in from 192.168.150.16 to 192.168.150.13 peer 192.168.150.16
srcid FQDN/box2.my.domain dstid FQDN/box1.my.domain type use
flow esp out from 192.168.150.13 to 192.168.150.16 peer 192.168.150.16
srcid FQDN/box2.my.domain dstid FQDN/box1.my.domain type require
SAD:
esp tunnel from 192.168.150.13 to 192.168.150.16 spi 0x3dc44a24 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.150.16 to 192.168.150.13 spi 0x3de19a41 auth
hmac-sha2-256 enc aes-256
box1:~# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.150.254 UGS 4 4 - 8 em0
127/8 127.0.0.1 UGRS 0 0 33192 8 lo0
127.0.0.1 127.0.0.1 UH 0 0 33192 4 lo0
192.168.150/24 link#1 UC 4 0 - 4 em0
192.168.150.1 10:dd:b1:99:a0:d7 UHLc 1 236 - 4 em0
192.168.150.13 08:00:27:a3:85:3a UHLc 1 15 - 4 em0
192.168.150.16 08:00:27:db:76:6f UHLc 0 4 - 4 lo0
192.168.150.254 00:00:24:ce:84:bc UHLc 1 4 - 4 em0
224/4 127.0.0.1 URS 0 0 33192 8 lo0
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
192.168.150.13/32 0 192.168.150.16/32 0 0
192.168.150.13/esp/use/in
192.168.150.16/32 0 192.168.150.13/32 0 0
192.168.150.13/esp/require/out
box2:~# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.150.254 UGS 4 127 - 8 em0
127/8 127.0.0.1 UGRS 0 0 33192 8 lo0
127.0.0.1 127.0.0.1 UH 1 0 33192 4 lo0
192.168.150/24 link#1 UC 3 0 - 4 em0
192.168.150.13 08:00:27:a3:85:3a UHLc 0 5 - 4 lo0
192.168.150.16 08:00:27:db:76:6f UHLc 1 15 - 4 em0
192.168.150.254 00:00:24:ce:84:bc UHLc 1 13 - 4 em0
224/4 127.0.0.1 URS 0 0 33192 8 lo0
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
192.168.150.16/32 0 192.168.150.13/32 0 0
192.168.150.16/esp/use/in
192.168.150.13/32 0 192.168.150.16/32 0 0
192.168.150.16/esp/require/out
box1:~# telnet 192.168.150.16 22
Trying 192.168.150.16...
telnet: connect to address 192.168.150.16: Connection timed out
box2:~# telnet 192.168.150.13 22
Trying 192.168.150.13...
telnet: connect to address 192.168.150.13: Connection timed out
