Dear all;

I’m trying to set up IPSec between two hosts; for now I’m not worrying about 
any networks these hosts might be gatewaying.  The OpenBSD 6.2 host at a.a.a.a 
runs on an old SGI machine and has /etc/ipsec.conf:

  ike esp tunnel from a.a.a.a to b.b.b.b local a.a.a.a peer b.b.b.b psk 

The other end is a Linux host running racoon.  The tunnel is established, and 
when pinging from b.b.b.b to a.a.a.a, I can see the packets with tcpdump:

  $ tcpdump -nlp -i fxp0 -s 1500 | grep b.b.b.b  
  tcpdump: listening on fxp0, link-type EN10MB
  00:21:58.808868 esp b.b.b.b > a.a.a.a spi 0x01256dc7 seq 280 len 132 (DF) 
[tos 0x28]

I can also decrypt the packets.  However, nothing shows up on enc0 ("tcpdump 
-nlp -i enc0 -s 1500" is silent) and consequently, there is no reply to the 
echo request. pf is involved, but it has

  set skip on enc0
  pass in  on fxp0 proto udp from b.b.b.b to a.a.a.a port {500, 4500}
  pass out on fxp0 proto udp from a.a.a.a to b.b.b.b port {500, 4500}

  pass in  on fxp0 proto esp from b.b.b.b to a.a.a.a
  pass out on fxp0 proto esp from a.a.a.a to b.b.b.b

  pass in  on enc0 proto ipencap from b.b.b.b to a.a.a.a keep state (if-bound)
  pass out on enc0 proto ipencap from a.a.a.a to b.b.b.b keep state (if-bound)

I don’t know where to look next.  Hints?

// Best wishes; Johan

Reply via email to