14 novembre 2016 14:50 "Remi Locherer" <[email protected]> a écrit: > On 2016-11-14 12:48, Comète wrote: > >> Hi, >> I'm trying to run OSPFD over IPSEC with OpenBSD 6.0 stable, so I first >> start looking at > http://undeadly.org/cgi?action=article&sid=20131105075303 >> Now that etherip has it's own interface in 6.0, I tried to replace gif > with >> etherip like this: >> On one host: >> ------------ >> -=>> cat /etc/hostname.bridge0 >> add etherip0 add vether0 >> up >> -=>> cat /etc/hostname.vether0 >> inet 10.60.10.2 >> 255.255.255.0 NONE up >> -=>> cat /etc/hostname.etherip0 >> tunnel 1.2.3.4 4.3.2.1 >> up >> -=>> doas cat /etc/ipsec.conf >> ike active esp proto etherip from 1.2.3.4 to >> 4.3.2.1 psk "mypassword" >>> -=>> doas ipsecctl -sa >> FLOWS: >> flow esp in proto >> etherip from 4.3.2.1 to 1.2.3.4 peer 4.3.2.1 srcid 1.2.3.4/32 dstid > 4.3.2.1/32 >> type use >> flow esp out proto etherip from 1.2.3.4 to 4.3.2.1 peer 4.3.2.1 srcid >> 1.2.3.4/32 dstid 4.3.2.1/32 type require >> SAD: >> esp tunnel from 4.3.2.1 to >> 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes >> esp tunnel from 1.2.3.4 to >> 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes >>> On the other host: >> ------------------ >> -=>> cat /etc/hostname.bridge0 >> add etherip0 add vether0 >> up >> -=>> cat /etc/hostname.vether0 >> inet 10.60.10.1 255.255.255.0 NONE up >> -=>> cat >> /etc/hostname.etherip0 >> tunnel 4.3.2.1 1.2.3.4 up >> -=>> doas cat >> /etc/ipsec.conf >> ike passive esp proto etherip from 4.3.2.1 to 1.2.3.4 psk >> "mypassword" >>> -=>> doas ipsecctl -sa >> FLOWS: >> flow esp in proto etherip from >> 1.2.3.4 to 4.3.2.1 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type > use >> flow esp out proto etherip from 4.3.2.1 to 1.2.3.4 peer 1.2.3.4 srcid >> 4.3.2.1/32 dstid 1.2.3.4/32 type require >> SAD: >> esp tunnel from 4.3.2.1 to >> 1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes >> esp tunnel from 1.2.3.4 to >> 4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes >>> I forgot to mention that i >> didn't set net.inet.etherip.allow=1 and let it set to 0, as said in > "etherip" >> man page, because I use IPSEC. >> As you can see the ipsec VPN is well >> established, but my problem is that I can't ping 10.60.10.1 from > 10.60.10.2 >> and 10.60.10.2 from 10.60.10.1. >> On each vether interface, tcpdump -nettti >> shows me that nothing is going out of them. >> Any idea ? > > Can you show pf.conf? Are there any blocks if you check on pflog0 with tcpdump? > > But why do you want to have Ethernet frames tunneled? If you use gif interfaces > and make ospfd beeing active on it you save a few bits. That way you can make > the MTU bigger. https://cway.cisco.com/tools/ipsec-overhead-calc can give you > and idea how big your MTU can be (needs an account but is free). > > Be careful when configuring gif interfaces. ospfd only recognizes that it is a > point-to-point interface when you configure the netmask as 255.255.255.255. I finally got it working. I forgot the 'link2' option in /etc/hostname.bridge0 :
-=>> cat /etc/hostname.bridge0 add etherip0 add vether0 up link2 but it wasn't enough... I had to set 'net.inet.etherip.allow=1' in sysctl.conf despite what it is said in the 'etherip' man page: "The sysctl(3) variable net.inet.etherip.allow must be set to 1, unless ipsec(4) is being used to protect the traffic." This is what I don't understand, is there any particular case in this configuration or maybe something changed in 6.0 ? thanks
