On Mon, Jun 29, 2015 at 07:04:41PM +0200, Mark Patruck wrote: > Btw i forgot to mention...of course the PEER is running > OpenBSD -current too (two days old amd64) > > Meanwhile i switched to isakmpd (for testing and to make > sure iked isn't the (only) problem) but it also doesn't work. > > > On Mon, Jun 29, 2015 at 03:45:48PM +0200, Mark Patruck wrote: > > Hi, > > > > i'm sitting here for hours with a weird dns lookup issue. > > > > I have two remote machines (3 days old amd64 current) > > which are connected via ipsec to PEER. Except that iked > > throws the following message every few minutes > > > > "iked[123]: pfkey_sa_last_used" > > > > everything works fine. > > > > PEER enc0 -> REMOTE0 enc0 > > PEER enc1 -> REMOTE1 enc0 > > > > > > On machine REMOTE0 > > > > $ cat /etc/resolv.conf > > lookup file bind > > nameserver 192.168.15.105 > > > > - 1) ping to 192.168.15.105 -> OK > > - 2) dig openbsd.org -> OK (correct answer from 192.168.15.105) > > - 3) ping openbsd.org -> FAIL > > - 4) ping 129.128.5.194 -> OK > > > > For 3), there's no request to the resolver (unbound) seen on > > PEERs' enc0 interface, nor blocks. > > > > Big issue of course is, that no daemon on REMOTE0 is able to do > > a correct lookup. > > > > UPDATE: > > Every now and then a "ping openbsd.org" is working...once started > > it runs and runs....but after Ctrl+C, i tried to "ping openbsd.org" > > 20 times in a row...doesn't work and nothing is seen on the PEERs' enc0. > > > > Thanks in advance for any ideas. > > > > > > -- > > Mark Patruck ( mark at wrapped.cx ) > > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 > > > > http://www.wrapped.cx > > > > -- > Mark Patruck ( mark at wrapped.cx ) > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 > > http://www.wrapped.cx >
FWIW I've been having the same problem for quite a while http://marc.info/?t=141831454500003&r=1&w=2 first on IKEv1 and now also on IKEv2, as I moved from isakmpd to iked. Never managed to figure out why it happens, or how to fix it. Since my goal was to get the names of internal machines from our DNS server, I ended up putting them on the peers' /etc/hosts. Cheers Zé --
