Hello,
I have two testing gateways (6.5/i386) with site-to-side VPN between its LANs
(OpenIKED).
Both gws are fully syspatched, have public IPs and the same iked/pf
configuration.
Unfortunately, the network traffic over the VPN tunnel stalls few times a day.
On the one side I use a script to monitor VPN tunnel with ping, it restarts
iked and emails me if there is no ping over the VPN tunnel.
Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)
In 6.3/i386 I have the same problem, but more frequently.
Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST)
Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST)
Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST)
Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST)
Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST)
Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST)
Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST)
Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST)
Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST)
Do I have any bugs/deficiencies in my configs, missed something?
Is there any way to make it work uninterruptedly?
I would be very greatful if you could help me with this case.
$cat /etc/hostname.enc0
up
$cat /etc/hostname.vr3
inet 10.0.17.254 255.255.255.0 NONE description "LAN17"
group trust
$cat /etc/iked.conf
local_gw_RAC17 = "10.0.17.254" # lan_RAC
local_lan_RAC17 = "10.0.17.0/24"
remote_gw_MON = "1.2.3.5" # fw_MON
remote_lan_MON = "172.16.1.0/24"
ikev2 quick active esp \
from $local_gw_RAC17 to $remote_gw_MON \
from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \
childsa enc chacha20-poly1305 \
psk "psk"
$cat /etc/pf.conf
# RAC-fwTEST
ext_if = "vr0"
lan_rac_if = "vr3" # vr3 -
lan_rac_local = $lan_rac_if:network # 10.0.17.0/24
backup_if = "vr2" # vr2 - lewy port
backup_local = $backup_if:network # 10.0.117/24
bud = "1.2.3.0/25"
rdk_wy = "1.2.3.4"
rdk_mon = "1.2.3.5"
panac_krz = "1.2.3.6"
panac_rac = "1.2.3.7"
set fingerprints "/dev/null"
set skip on { lo, enc0 }
set block-policy drop
set optimization normal
set ruleset-optimization basic
antispoof quick for {lo0, $lan_rac_if, $backup_if }
match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to $ext_if
set prio (3, 7)
block all
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
pass out on egress keep state
pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3,
7) keep state
ssh_port = "1071"
table <ssh_trust> const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac,
10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 }
table <bruteforce> persist counters
block from <bruteforce>
pass in log quick inet proto tcp from <ssh_trust> to $ext_if port $ssh_port
flags S/SA \
set prio (7, 7) keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce> flush
global)
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types \
set prio (7, 7) keep state
table <vpn_peers> const { $rdk_mon, $panac_rac, $panac_krz }
pass out quick on egress proto esp from (egress:0) to <vpn_peers>
set prio (6, 7) keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500,
4500} set prio (6, 7) keep state
pass in quick on egress proto esp from <vpn_peers> to (egress:0)
set prio (6, 7) keep state
pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500,
4500} set prio (6, 7) keep state
pass out quick on trust received-on enc0 set prio (6, 7) keep state
pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
set prio (6,7) keep state
pass in on egress proto {ah,esp} set prio (6,7) keep state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
$cat iked_monitor.sh
#!/bin/sh
while true
do
vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " "
'{print $4}'`
if [ "${vpn}" -eq 0 ] ; then
mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " '{print
$4}'`
wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'`
if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then
echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping through
VPN RACTEST-MON! restartng iked!" [email protected]
rcctl restart iked
fi
fi
sleep 32
done
--
Radek
