Short update. After testing multiple scenarios (iked, isakmpd), normal ruleset, smallest ruleset....it turns out, that if i remove "(if-bound)" from every "pass on enc0" rule on the REMOTE machines, everything works.
On Tue, Jun 30, 2015 at 08:26:26AM +0200, Mark Patruck wrote: > Thanks, i've already seen that thread. > > I've found out, that if i 'skip on enc0' on the REMOTE machines > everything works fine and though i currently use a very simple > ruleset (no normalization, no default blocks, pass all on enc0...) > It only works with 'skip on enc0'. > > On Mon, Jun 29, 2015 at 10:42:52PM +0100, Z? Loff wrote: > > On Mon, Jun 29, 2015 at 07:04:41PM +0200, Mark Patruck wrote: > > > Btw i forgot to mention...of course the PEER is running > > > OpenBSD -current too (two days old amd64) > > > > > > Meanwhile i switched to isakmpd (for testing and to make > > > sure iked isn't the (only) problem) but it also doesn't work. > > > > > > > > > On Mon, Jun 29, 2015 at 03:45:48PM +0200, Mark Patruck wrote: > > > > Hi, > > > > > > > > i'm sitting here for hours with a weird dns lookup issue. > > > > > > > > I have two remote machines (3 days old amd64 current) > > > > which are connected via ipsec to PEER. Except that iked > > > > throws the following message every few minutes > > > > > > > > "iked[123]: pfkey_sa_last_used" > > > > > > > > everything works fine. > > > > > > > > PEER enc0 -> REMOTE0 enc0 > > > > PEER enc1 -> REMOTE1 enc0 > > > > > > > > > > > > On machine REMOTE0 > > > > > > > > $ cat /etc/resolv.conf > > > > lookup file bind > > > > nameserver 192.168.15.105 > > > > > > > > - 1) ping to 192.168.15.105 -> OK > > > > - 2) dig openbsd.org -> OK (correct answer from 192.168.15.105) > > > > - 3) ping openbsd.org -> FAIL > > > > - 4) ping 129.128.5.194 -> OK > > > > > > > > For 3), there's no request to the resolver (unbound) seen on > > > > PEERs' enc0 interface, nor blocks. > > > > > > > > Big issue of course is, that no daemon on REMOTE0 is able to do > > > > a correct lookup. > > > > > > > > UPDATE: > > > > Every now and then a "ping openbsd.org" is working...once started > > > > it runs and runs....but after Ctrl+C, i tried to "ping openbsd.org" > > > > 20 times in a row...doesn't work and nothing is seen on the PEERs' enc0. > > > > > > > > Thanks in advance for any ideas. > > > > > > > > > > > > -- > > > > Mark Patruck ( mark at wrapped.cx ) > > > > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 > > > > > > > > http://www.wrapped.cx > > > > > > > > > > -- > > > Mark Patruck ( mark at wrapped.cx ) > > > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 > > > > > > http://www.wrapped.cx > > > > > > > FWIW I've been having the same problem for quite a while > > > > http://marc.info/?t=141831454500003&r=1&w=2 > > > > first on IKEv1 and now also on IKEv2, as I moved from isakmpd to iked. > > > > Never managed to figure out why it happens, or how to fix it. Since my > > goal was to get the names of internal machines from our DNS server, I > > ended up putting them on the peers' /etc/hosts. > > > > Cheers > > Z? > > > > -- > > > > -- > Mark Patruck ( mark at wrapped.cx ) > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 > > http://www.wrapped.cx > -- Mark Patruck ( mark at wrapped.cx ) GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51 http://www.wrapped.cx
