I have a few questions that I really need to clarify fro myself and I would very much appreciate some input.
Reason is that I am having problem to keep the session up for a long time and just doing /etc/rc.d/iked stop and the start on the client side will bring the session back up, even if I see what suppose to be proper flow with ipsecctl -s all And For testing as I was trying to see what happen, I setup a gateway between my home router and a data center gateway, both OpenBSD, home on 5.8 and gateway and data center for now on 5.7. Then I started to watch Netflix on it to see and about every 50 minutes to 60, or so, the connection went down for may be 50 seconds to 2 minutes every time, I suppose to do the re-key things I guess, but shouldn't the flow continue as it does this, or is it not possible? I guess the man page said it should redo this every 3 hours by default or 500Mb of data transfer. Will it always cut off the traffic when it redo this? Anyway around this may be? Also, doing ipsecctl reload or reset for testing will hang the client side and you can't kill it. 100% CPU utilization and you can only do kill -9 processid multiple times to kill it. /etc/rc.d/iked stop will not do it ever. Also, if no traffic for a while, over night for testing, then somehow you see to reset the iked client to get it going again and in the ipsecctl -s all you see more then the normal flow there, may be 6 or 8 at times and still no traffic. So, some questions come to mind and it may be stupid, or not, but I do wonder and try to find the answers for them. 1. Why does it need to be two connections(setup in iked.conf), one between gateways and then networks when one does the same thing and works? >From the mane page: # Set up a VPN: # First between the gateway machines 192.168.3.1 and 192.168.3.2 # Second between the networks 10.1.1.0/24 and 10.1.2.0/24 ikev2 esp from 192.168.3.1 to 192.168.3.2 ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 But this works as well and do not duplicate the SAD. May be that's what create some kind of routing issue may be. I do not know but continue testing this to find out. ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 as long as oyu have the reverse on the other side as this: ikev2 esp from 10.1.2.0/24 to 10.1.1.0/24 peer 192.168.3.1 you would see for example two of the same: SAD: esp tunnel from 192.168.3.1 to 192.168.3.2 spi 0x2ce28601 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.3.1 to 192.168.3.2 spi 0x6d67d248 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.3.2 to 192.168.3.1 spi 0xd5760dc0 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.3.2 to 192.168.3.1 spi 0xf5b3b824 auth hmac-sha2-256 enc aes-256 Why two??? 2. If you have the connection establish between the gateway only, oppose to the network to peer as in question 1. and you configure a routing protocol being eigrpd or ospfd and you that tpo announce client network to gateway assuming you control both side as to not inject bad routers, it is not safe or correct to say that the traffic woudl be also encrypted when it flows through enc0 and it doesn't need to have the network statement in the iked.conf? Or is that a very bad idea and if so why? Wouldn't it achieve the same things? Is it safe s well. I just find it easier and faster to manage routing protocol oppose to iked.cong flows. But is there a reason not to do so, or a bad idea as well? After all the man page said: "IPsec traffic appears unencrypted on the enc(4) interface and can be filtered accordingly using the OpenBSD packet filter, pf(4). The grammar for the packet filter is described in pf.conf(5)." "enc0 Default interface for outgoing traffic before it's been encapsulated, and incoming traffic after it's been decapsulated. State on this interface should be interface bound; see enc(4) for further information." 3. Not a big deal, but even if the man page said the active is the default mode, why do I need to actually specifically say in iked.conf: ikev2 active esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 to get it going as this will not do so: ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 even if I have also this in the iked.conf file set active Or am I really miss understanding the man page in regards to the set active part? 4. Do I need to setup some kind of keep alive or something to make sure the flow between the boxes is always up. Or what could I look at to find out what may be happening for the traffic to stop flowing properly. Every time, nothing needs to be done other then /etc/rc.d/iked stop and then start to get it going again after it wasn't used for a while. Thanks Daniel
