Hi, I'm trying to run OSPFD over IPSEC with OpenBSD 6.0 stable, so I first start looking at http://undeadly.org/cgi?action=article&sid=20131105075303 Now that etherip has it's own interface in 6.0, I tried to replace gif with etherip like this:
On one host: ------------ -=>> cat /etc/hostname.bridge0 add etherip0 add vether0 up -=>> cat /etc/hostname.vether0 inet 10.60.10.2 255.255.255.0 NONE up -=>> cat /etc/hostname.etherip0 tunnel 1.2.3.4 4.3.2.1 up -=>> doas cat /etc/ipsec.conf ike active esp proto etherip from 1.2.3.4 to 4.3.2.1 psk "mypassword" -=>> doas ipsecctl -sa FLOWS: flow esp in proto etherip from 4.3.2.1 to 1.2.3.4 peer 4.3.2.1 srcid 1.2.3.4/32 dstid 4.3.2.1/32 type use flow esp out proto etherip from 1.2.3.4 to 4.3.2.1 peer 4.3.2.1 srcid 1.2.3.4/32 dstid 4.3.2.1/32 type require SAD: esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes On the other host: ------------------ -=>> cat /etc/hostname.bridge0 add etherip0 add vether0 up -=>> cat /etc/hostname.vether0 inet 10.60.10.1 255.255.255.0 NONE up -=>> cat /etc/hostname.etherip0 tunnel 4.3.2.1 1.2.3.4 up -=>> doas cat /etc/ipsec.conf ike passive esp proto etherip from 4.3.2.1 to 1.2.3.4 psk "mypassword" -=>> doas ipsecctl -sa FLOWS: flow esp in proto etherip from 1.2.3.4 to 4.3.2.1 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type use flow esp out proto etherip from 4.3.2.1 to 1.2.3.4 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type require SAD: esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes I forgot to mention that i didn't set net.inet.etherip.allow=1 and let it set to 0, as said in "etherip" man page, because I use IPSEC. As you can see the ipsec VPN is well established, but my problem is that I can't ping 10.60.10.1 from 10.60.10.2 and 10.60.10.2 from 10.60.10.1. On each vether interface, tcpdump -nettti shows me that nothing is going out of them. Any idea ? Thanks, Morgan
