Hi @misc, I am facing an issue between two boxes (box1 and box2) connected through an IPsec tunnel. They are both on the same subnet and both listen on port 22 (sshd running)
When the ipsec tunnel is down and encap routes are flushed on both boxes (ipsecctl -F), performing a "telnet ip_of_box1 22" on box1 works fine. Same on box2. However, when the ipsec tunnel is up, performing the same telnet command on box1 will just time out. Same timeout on box2. Reaching box1 from box2 and vice versa is not a problem. I am not sure to understand why I can't reach the local IP address when the tunnel is up. Any hint would be much appreciated, Below some config / output (both are running 5.5 current i386 GENERIC.MP but I did reproduce the "problem" with exactly the same config on 5.4 release GENERIC.MP i386 on both boxes) and the two last commands showing the time out when performing the telnet. Cheers, Josh ================ box1:~# cat /etc/hostname.em0 dhcp box2:~# cat /etc/hostname.em0 dhcp box1:~# ifconfig em0 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 08:00:27:db:76:6f priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::a00:27ff:fedb:766f%em0 prefixlen 64 scopeid 0x1 inet 192.168.150.16 netmask 0xffffff00 broadcast 192.168.150.255 box2:~# ifconfig em0 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 08:00:27:a3:85:3a priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::a00:27ff:fea3:853a%em0 prefixlen 64 scopeid 0x1 inet 192.168.150.13 netmask 0xffffff00 broadcast 192.168.150.255 box1:~# pfctl -d pfctl: pf not enabled box2:~# pfctl -d pfctl: pf not enabled box1:~# netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.150.254 UGS 4 843047 - 8 em0 127/8 127.0.0.1 UGRS 0 0 33192 8 lo0 127.0.0.1 127.0.0.1 UH 1 33 33192 4 lo0 192.168.150/24 link#1 UC 3 0 - 4 em0 192.168.150.1 10:dd:b1:99:a0:d7 UHLc 1 42048 - 4 em0 192.168.150.13 08:00:27:a3:85:3a UHLc 0 14 - 4 em0 192.168.150.254 00:00:24:ce:84:bc UHLc 1 393 - 4 em0 224/4 127.0.0.1 URS 0 0 33192 8 lo0 box2:~# netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.150.254 UGS 4 909362 - 8 em0 127/8 127.0.0.1 UGRS 0 0 33192 8 lo0 127.0.0.1 127.0.0.1 UH 1 115 33192 4 lo0 192.168.150/24 link#1 UC 3 0 - 4 em0 192.168.150.13 08:00:27:a3:85:3a UHLc 0 18 - 4 lo0 192.168.150.16 08:00:27:db:76:6f UHLc 0 22 - 4 em0 192.168.150.254 00:00:24:ce:84:bc UHLc 1 1005 - 4 em0 224/4 127.0.0.1 URS 0 0 33192 8 lo0 box1:~# cat /etc/iked.conf ikev2 passive esp from 192.168.150.16 to 192.168.150.13 peer 192.168.150.13 psk "tesT" box2:~# cat /etc/iked.conf ikev2 active esp from 192.168.150.13 to 192.168.150.16 peer 192.168.150.16 psk "tesT" box1:~# ipsecctl -sa FLOWS: No flows SAD: No entries box2:~# ipsecctl -sa FLOWS: No flows SAD: No entries box1:~# telnet 192.168.150.16 22 Trying 192.168.150.16... Connected to 192.168.150.16. Escape character is '^]'. SSH-2.0-OpenSSH_6.5 ^C Connection closed by foreign host. box2:~# telnet 192.168.150.13 22 Trying 192.168.150.13... Connected to 192.168.150.13. Escape character is '^]'. SSH-2.0-OpenSSH_6.5 ^C Connection closed by foreign host. box1:~# iked -6dv ikev2 "policy1" passive esp inet from 192.168.150.16 to 192.168.150.13 local any peer 192.168.150.13 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x74657354 ikev2_recv: IKE_SA_INIT from initiator 192.168.150.13:500 to 192.168.150.16:500 policy 'policy1' id 0, 520 bytes ikev2_msg_send: IKE_SA_INIT from 192.168.150.16:500 to 192.168.150.13:500, 432 bytes ikev2_recv: IKE_AUTH from initiator 192.168.150.13:500 to 192.168.150.16:500 policy 'policy1' id 1, 272 bytes ikev2_msg_send: IKE_AUTH from 192.168.150.16:500 to 192.168.150.13:500, 240 bytes sa_state: VALID -> ESTABLISHED from 192.168.150.13:500 to 192.168.150.16:500 policy 'policy1' box2:~# iked -6dv ikev2 "policy1" active esp inet from 192.168.150.13 to 192.168.150.16 local any peer 192.168.150.16 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x74657354 ikev2_msg_send: IKE_SA_INIT from 0.0.0.0:500 to 192.168.150.16:500, 520 bytes ikev2_recv: IKE_SA_INIT from responder 192.168.150.16:500 to 192.168.150.13:500 policy 'policy1' id 0, 432 bytes ikev2_msg_send: IKE_AUTH from 192.168.150.13:500 to 192.168.150.16:500, 272 bytes ikev2_recv: IKE_AUTH from responder 192.168.150.16:500 to 192.168.150.13:500 policy 'policy1' id 1, 240 bytes sa_state: VALID -> ESTABLISHED from 192.168.150.16:500 to 192.168.150.13:500 policy 'policy1' box1:~# ipsecctl -sa FLOWS: flow esp in from 192.168.150.13 to 192.168.150.16 peer 192.168.150.13 srcid FQDN/box1.my.domain dstid FQDN/box2.my.domain type use flow esp out from 192.168.150.16 to 192.168.150.13 peer 192.168.150.13 srcid FQDN/box1.my.domain dstid FQDN/box2.my.domain type require SAD: esp tunnel from 192.168.150.13 to 192.168.150.16 spi 0x3dc44a24 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.150.16 to 192.168.150.13 spi 0x3de19a41 auth hmac-sha2-256 enc aes-256 box2:~# ipsecctl -sa FLOWS: flow esp in from 192.168.150.16 to 192.168.150.13 peer 192.168.150.16 srcid FQDN/box2.my.domain dstid FQDN/box1.my.domain type use flow esp out from 192.168.150.13 to 192.168.150.16 peer 192.168.150.16 srcid FQDN/box2.my.domain dstid FQDN/box1.my.domain type require SAD: esp tunnel from 192.168.150.13 to 192.168.150.16 spi 0x3dc44a24 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.150.16 to 192.168.150.13 spi 0x3de19a41 auth hmac-sha2-256 enc aes-256 box1:~# netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.150.254 UGS 4 4 - 8 em0 127/8 127.0.0.1 UGRS 0 0 33192 8 lo0 127.0.0.1 127.0.0.1 UH 0 0 33192 4 lo0 192.168.150/24 link#1 UC 4 0 - 4 em0 192.168.150.1 10:dd:b1:99:a0:d7 UHLc 1 236 - 4 em0 192.168.150.13 08:00:27:a3:85:3a UHLc 1 15 - 4 em0 192.168.150.16 08:00:27:db:76:6f UHLc 0 4 - 4 lo0 192.168.150.254 00:00:24:ce:84:bc UHLc 1 4 - 4 em0 224/4 127.0.0.1 URS 0 0 33192 8 lo0 Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.150.13/32 0 192.168.150.16/32 0 0 192.168.150.13/esp/use/in 192.168.150.16/32 0 192.168.150.13/32 0 0 192.168.150.13/esp/require/out box2:~# netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.150.254 UGS 4 127 - 8 em0 127/8 127.0.0.1 UGRS 0 0 33192 8 lo0 127.0.0.1 127.0.0.1 UH 1 0 33192 4 lo0 192.168.150/24 link#1 UC 3 0 - 4 em0 192.168.150.13 08:00:27:a3:85:3a UHLc 0 5 - 4 lo0 192.168.150.16 08:00:27:db:76:6f UHLc 1 15 - 4 em0 192.168.150.254 00:00:24:ce:84:bc UHLc 1 13 - 4 em0 224/4 127.0.0.1 URS 0 0 33192 8 lo0 Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.150.16/32 0 192.168.150.13/32 0 0 192.168.150.16/esp/use/in 192.168.150.13/32 0 192.168.150.16/32 0 0 192.168.150.16/esp/require/out box1:~# telnet 192.168.150.16 22 Trying 192.168.150.16... telnet: connect to address 192.168.150.16: Connection timed out box2:~# telnet 192.168.150.13 22 Trying 192.168.150.13... telnet: connect to address 192.168.150.13: Connection timed out