Hey man, I'm not sure about what is happening, but pflog is your best friend ever !
http://www.openbsd.org/faq/pf/logging.html Try find out if a specific rule is blocking traffic in one of endpoints ( both ? ) Cheers, 2014-12-11 14:13 GMT-02:00 Zé Loff <[email protected]>: > TL,DR: > Queries to DNS server over IPSec made using host or dig work OK, > requests made by e.g. ping exit the enc0 interface but don't show up on > enc0 on the other end. > > > Hi all > > I'm puzzled by some weird stuff happening with DNS queries over IPSec. I > have a fully working tunnel over a roaming laptop and our network. The > laptop gets its IP and DNS resolvers via DHCP and sets up a route to > 192.168.16.0/22 over IPSec with NAT: > > ike dynamic esp from 192.168.19.3 (egress) to 192.168.16.0/22 \ > peer vpn.foo.bar \ > srcid laptop.foo.bar dstid vpn.foo.bar > > All works fine, I can ping, SSH, http, etc machines on 192.168.16.0/22, > as long as I use their IP addresses. However, if I change the laptop's > resolv.conf to use our DNS server (nameserver 192.168.16.2) weird things > happen. > > If I use host or dig to query our server, I can see the DNS requests and > answers pass correctly on the enc0 interfaces of both endpoints. > However, if I try to do something like "ping -c 1 www_lan.foo.bar" (or > e.g. ssh) I can see the packets with the DNS request pass through enc0 > on the tunnel (and on the physical interface too) but nothing traffic > shows up on enc0 on the other endpoint (I do believe they show up on the > physical interface on that end, but my tcpdump foo isn't good enough to > be sure). > > Again, all other traffic works fine, routing tables look ok, AFAICT pf > isn't blocking anything, the laptop is running Dec 9 -current (amd64) > and the other endpoint is running 5.4-release w/ mtier binpatches (i386) > (planning to upgrade within a couple of days), and most importantly, > both host and dig have their queries properly answered. > > Does anyone have any idea of what is going on? Apologies in advance if > important information is missing, and/or this is a known problem and an > upgrade to 5.6 is enough (I briefly STFA and didn't find it, though). > > Cheers > Zé > > --
