IPsec (isakmpd) in rdomain non zero needs default route

Fri, 29 Sep 2017 03:02:13 -0700 

Hello, 

I don't know if I should post this to misc@ or bugs@...
If this is the wrong list tell me I'll file a proper bug report.

I need to add a default route in rdomain 1 to be able to use the tunnels 
created by isakmpd.
That is a bit weird, routes should be injected by isakmpd.

Here is my test setup :
            +------------------------------------------------+
            | em1 (rd1):192.168.0.1      em1(rd1)192.168.0.2 |
+------------------------+                       +------------------------+
|          rtr1          |                       |          rtr2          |
| lo1 (rd1): 127.0.0.1   |                       | lo1 (rd1): 127.0.0.1   |
|     alias: 192.168.1.1 |                       |     alias: 192.168.2.1 |
+------------------------+                       +------------------------+
on rtr 1 and 2 :
created enc1 rdomain 1 up
launched route -T 1 exec isakmpd -K

tunnel conf rtr 1:
ike esp from 192.168.1.0/24 to 192.168.2.0/24 local 192.168.0.2 peer 
192.168.0.2 \
main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef"

tunnel conf rtr 2:
ike esp from 192.168.2.0/24 to 192.168.1.0/24 local 192.168.0.2 peer 
192.168.0.1 \
main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef"

routing table rt1 :
Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
127.0.0.1          127.0.0.1          UHhl       1        2 32768     1 lo1
192.168.0/24       192.168.0.1        UCn        1        0     -     4 em1
192.168.0.1        00:50:56:b4:7b:eb  UHLl       0       37     -     1 em1
192.168.0.2        00:50:56:b4:77:82  UHLc       1       16     -     3 em1
192.168.0.255      192.168.0.1        UHb        0        0     -     1 em1
192.168.1.1        192.168.1.1        UHl        0        7 32768     1 lo1

routing table rt2 :
Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
127.0.0.1          127.0.0.1          UHhl       1        2 32768     1 lo1
192.168.0/24       192.168.0.2        UCn        0        0     -     4 em1
192.168.0.2        00:50:56:b4:77:82  UHLl       0      245     -     1 em1
192.168.0.255      192.168.0.2        UHb        0        0     -     1 em1
192.168.2.1        192.168.2.1        UHl        0       52 32768     1 lo1

flows rtr1 :
# route -T1 exec ipsecctl -sf
flow esp in from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.2 srcid 
192.168.0.1/32 dstid 192.168.0.2/32 type use
flow esp out from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.2 srcid 
192.168.0.1/32 dstid 192.168.0.2/32 type require

flows rtr2 :
# route -T1 exec ipsecctl -sf
flow esp in from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.1 srcid 
192.168.0.2/32 dstid 192.168.0.1/32 type use
flow esp out from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.1 srcid 
192.168.0.2/32 dstid 192.168.0.1/32 type require

On rtr1 :
ping -V 1 -I 192.168.1.1 192.168.2.1 
won't work until I do on both routers :
route -T1 add default 127.0.0.1

My guess is that the problem is quite the same as with inter-domain routing 
with PF : destination lookup is done BEFORE processing by PF or IPSEC 
(explained here for PF : 
https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/).
 So when there is no default route, it fails. If this guess is right, the 
problem shoud also happen on rdomain 0.

Could you fix the code to make it work without the default route ?
Or, as I suspect, is this too difficult and I'll go with my workaround ?

--
Cordialement,
Pierre Bardou

Reply via email to