Hello,
Has anyone come across an issue where openbsd - fortinet-vpn it works
but there seems to be a limit on flows that can be installed (4 Pairs max)
so if you have a 5th Subnet in your ipsec configuration (/etc/ipsec.conf)
that the flows displayed in ipsecctl -sa shows 4 pairs of flows,
but that when you start pinging the 5th subnet, one of the other flows
in ipsec is removed and the 5th subnet gets installed,
is there a limit on the number of ipsec flows that can be in the policy ?
after a while the flows would not be added any more. and isakmpd would
not be running
there might be only 3 pairs of flows (with 2 pairs of configured
subnets not shown in the
ipsececctl -sa flow list
no noticeable errors / notices in /var/log/daemon or /var/log/messages,
there was an error of isakmpd at startup but this seemed benign and
not affecting the functionality of the tunnel (as far as I could tell)
Work around was to summarise the subnets listed in the ipsec.conf
policy to just 4 subnets
and the issue seemed to be resolved.
Both Tunnel Endpoitns were devices with a Pure public IP with no
filtering / NAT in between.
any feedback corrections advice welcome ( configuration and dmesg
output below)
Thanks
Tom Smyth
OpenBSD 6.6-beta (GENERIC.MP) #313: Tue Sep 10 23:30:52 MDT 2019
temp# ipsecctl -sa
FLOWS:
flow esp in from SUBNET1 to Local-Subnet/24 peer HQ-Public-IP srcid
Branch-Public-IP/32 dstid HQ-Public-IP/32 type use
flow esp in from SUBNET2 to Local-Subnet/24 peer HQ-Public-IP srcid
Branch-Public-IP/32 dstid HQ-Public-IP/32 type use
flow esp in from SUBNET3 to Local-Subnet/24 peer HQ-Public-IP srcid
Branch-Public-IP/32 dstid HQ-Public-IP/32 type use
flow esp in from SUBNET4 to Local-Subnet/24 peer HQ-Public-IP srcid
Branch-Public-IP/32 dstid HQ-Public-IP/32 type use
flow esp out from local-subnet/24 to SUBNET1 peer HQ-Public-IP srcid
Branch-Public-IP/32 dstid HQ-Public-IP/32 type require
flow esp out from Local-Subnet/24 to SUBNET2 peer HQ-Public-IP srcid
Branch-Public-IP/32 dstid HQ-Public-IP/32 type require
flow esp out from Local-Subnet/24 to SUBNET3 peer HQ-Public-IP srcid
Branch-Public-IP/32 dstid HQ-Public-IP/32 type require
flow esp out from Local-Subnet/24 to SUBNET4 peer HQ-Public-IP srcid
Branch-Public-IP/32 dstid HQ-Public-IP/32 type require
SAD:
esp tunnel from Branch-Public-IP to HQ-Public-IP spi 0x093f1f86 auth
hmac-md5 enc 3des-cbc
esp tunnel from Branch-Public-IP to HQ-Public-IP spi 0x093f1f87 auth
hmac-md5 enc 3des-cbc
esp tunnel from Branch-Public-IP to HQ-Public-IP spi 0x093f1f88 auth
hmac-md5 enc 3des-cbc
esp tunnel from Branch-Public-IP to HQ-Public-IP spi 0x093f1f89 auth
hmac-md5 enc 3des-cbc
esp tunnel from HQ-Public-IP to Branch-Public-IP spi 0x73276265 auth
hmac-md5 enc 3des-cbc
esp tunnel from HQ-Public-IP to Branch-Public-IP spi 0x945e8108 auth
hmac-md5 enc 3des-cbc
esp tunnel from HQ-Public-IP to Branch-Public-IP spi 0xebac2f5a auth
hmac-md5 enc 3des-cbc
esp tunnel from HQ-Public-IP to Branch-Public-IP spi 0xf5976c15 auth
hmac-md5 enc 3des-cbc
cat /etc/ipsec.conf
ike active esp from Local-Subnet/24 to {SUBNET1, SUBNET2, SUBNET3,
SUBNET4} peer HQ-Public-IP \
main auth hmac-md5 enc 3des group modp1024 lifetime 86400 \
quick auth hmac-md5 enc 3des group none lifetime 28800 \
psk "REDACTED-PSK-IMaginethat"
cat /etc/sysctl.conf
net.inet.ah.enable=1
net.inet.esp.enable=1
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=1
net.inet.ip.ipsec-enc-alg=3des
net.inet.ip.ipsec-pfs=0
net.inet.ip.ipsec-auth-alg=hmac-md5
cat /etc/rc.conf.local
dhcpd_flags=-c /etc/dhcpd.conf vlan103
ipsec=YES
isakmpd_flags=-K
dmesg
Sep 17 14:29:06 temp /bsd: OpenBSD 6.6-beta (GENERIC.MP) #313: Tue Sep
10 23:30:52 MDT 2019
Sep 17 14:29:06 temp /bsd:
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Sep 17 14:29:06 temp /bsd: real mem = 4261076992 (4063MB)
Sep 17 14:29:06 temp /bsd: avail mem = 4119269376 (3928MB)
Sep 17 14:29:06 temp /bsd: mpath0 at root
Sep 17 14:29:06 temp /bsd: scsibus0 at mpath0: 256 targets
Sep 17 14:29:06 temp /bsd: mainbus0 at root
Sep 17 14:29:06 temp /bsd: bios0 at mainbus0: SMBIOS rev. 2.7 @
0xdffb7020 (7 entries)
Sep 17 14:29:06 temp /bsd: bios0: vendor coreboot version "4.0.7" date
02/28/2017
Sep 17 14:29:06 temp /bsd: bios0: PC Engines APU2
Sep 17 14:29:06 temp /bsd: acpi0 at bios0: ACPI 4.0
Sep 17 14:29:06 temp /bsd: acpi0: sleep states S0 S1 S2 S3 S4 S5
Sep 17 14:29:06 temp /bsd: acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET
Sep 17 14:29:06 temp /bsd: acpi0: wakeup devices PWRB(S4) PBR4(S4)
PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3)
XHC0(S4)
Sep 17 14:29:06 temp /bsd: acpitimer0 at acpi0: 3579545 Hz, 32 bits
Sep 17 14:29:06 temp /bsd: acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
Sep 17 14:29:06 temp /bsd: cpu0 at mainbus0: apid 0 (boot processor)
Sep 17 14:29:06 temp /bsd: cpu0: AMD GX-412TC SOC, 998.25 MHz, 16-30-01
Sep 17 14:29:06 temp /bsd: cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
Sep 17 14:29:06 temp /bsd: cpu0: 32KB 64b/line 2-way I-cache, 32KB
64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache
Sep 17 14:29:06 temp /bsd: cpu0: ITLB 32 4KB entries fully
associative, 8 4MB entries fully associative
Sep 17 14:29:06 temp /bsd: cpu0: DTLB 40 4KB entries fully
associative, 8 4MB entries fully associative
Sep 17 14:29:06 temp /bsd: tsc_timecounter_init: TSC skew=0 observed drift=0
Sep 17 14:29:06 temp /bsd: cpu0: smt 0, core 0, package 0
Sep 17 14:29:06 temp /bsd: mtrr: Pentium Pro MTRR support, 8 var
ranges, 88 fixed ranges
Sep 17 14:29:06 temp /bsd: cpu0: apic clock running at 99MHz
Sep 17 14:29:06 temp /bsd: cpu0: mwait min=64, max=64, IBE
Sep 17 14:29:06 temp /bsd: cpu1 at mainbus0: apid 1 (application processor)
Sep 17 14:29:06 temp /bsd: TSC skew=-11
Sep 17 14:29:06 temp /bsd: cpu1: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
Sep 17 14:29:06 temp /bsd: cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
Sep 17 14:29:06 temp /bsd: cpu1: 32KB 64b/line 2-way I-cache, 32KB
64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache
Sep 17 14:29:06 temp /bsd: cpu1: ITLB 32 4KB entries fully
associative, 8 4MB entries fully associative
Sep 17 14:29:06 temp /bsd: cpu1: DTLB 40 4KB entries fully
associative, 8 4MB entries fully associative
Sep 17 14:29:06 temp /bsd: tsc_timecounter_init: TSC skew=-11 observed drift=0
Sep 17 14:29:06 temp /bsd: cpu1: smt 0, core 1, package 0
Sep 17 14:29:06 temp /bsd: cpu2 at mainbus0: apid 2 (application processor)
Sep 17 14:29:06 temp /bsd: TSC skew=-12
Sep 17 14:29:06 temp /bsd: cpu2: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
Sep 17 14:29:06 temp /bsd: cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
Sep 17 14:29:06 temp /bsd: cpu2: 32KB 64b/line 2-way I-cache, 32KB
64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache
Sep 17 14:29:06 temp /bsd: cpu2: ITLB 32 4KB entries fully
associative, 8 4MB entries fully associative
Sep 17 14:29:06 temp /bsd: cpu2: DTLB 40 4KB entries fully
associative, 8 4MB entries fully associative
Sep 17 14:29:06 temp /bsd: tsc_timecounter_init: TSC skew=-12 observed drift=0
Sep 17 14:29:06 temp /bsd: cpu2: smt 0, core 2, package 0
Sep 17 14:29:06 temp /bsd: cpu3 at mainbus0: apid 3 (application processor)
Sep 17 14:29:06 temp /bsd: TSC skew=-13
Sep 17 14:29:06 temp /bsd: cpu3: AMD GX-412TC SOC, 998.37 MHz, 16-30-01
Sep 17 14:29:06 temp /bsd: cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
Sep 17 14:29:06 temp /bsd: cpu3: 32KB 64b/line 2-way I-cache, 32KB
64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache
Sep 17 14:29:06 temp /bsd: cpu3: ITLB 32 4KB entries fully
associative, 8 4MB entries fully associative
Sep 17 14:29:06 temp /bsd: cpu3: DTLB 40 4KB entries fully
associative, 8 4MB entries fully associative
Sep 17 14:29:06 temp /bsd: tsc_timecounter_init: TSC skew=-13 observed drift=0
Sep 17 14:29:06 temp /bsd: cpu3: smt 0, core 3, package 0
Sep 17 14:29:06 temp /bsd: ioapic0 at mainbus0: apid 4 pa 0xfec00000,
version 21, 24 pins
Sep 17 14:29:06 temp /bsd: ioapic1 at mainbus0: apid 5 pa 0xfec20000,
version 21, 32 pins, remapped
Sep 17 14:29:06 temp /bsd: acpihpet0 at acpi0: 14318180 Hz
Sep 17 14:29:06 temp /bsd: acpiprt0 at acpi0: bus 0 (PCI0)
Sep 17 14:29:06 temp /bsd: acpiprt1 at acpi0: bus -1 (PBR4)
Sep 17 14:29:06 temp /bsd: acpiprt2 at acpi0: bus 1 (PBR5)
Sep 17 14:29:06 temp /bsd: acpiprt3 at acpi0: bus 2 (PBR6)
Sep 17 14:29:06 temp /bsd: acpiprt4 at acpi0: bus 3 (PBR7)
Sep 17 14:29:06 temp /bsd: acpiprt5 at acpi0: bus -1 (PBR8)
Sep 17 14:29:06 temp /bsd: acpicpu0 at acpi0: C2(0@400 io@0x1771),
C1(@1 halt!), PSS
Sep 17 14:29:06 temp /bsd: acpicpu1 at acpi0: C2(0@400 io@0x1771),
C1(@1 halt!), PSS
Sep 17 14:29:06 temp /bsd: acpicpu2 at acpi0: C2(0@400 io@0x1771),
C1(@1 halt!), PSS
Sep 17 14:29:06 temp /bsd: acpicpu3 at acpi0: C2(0@400 io@0x1771),
C1(@1 halt!), PSS
Sep 17 14:29:06 temp /bsd: acpibtn0 at acpi0: PWRB
Sep 17 14:29:06 temp /bsd: acpipci0 at acpi0 PCI0: 0x00000000
0x00000011 0x00000001
Sep 17 14:29:06 temp /bsd: acpicmos0 at acpi0
Sep 17 14:29:06 temp /bsd: cpu0: 998 MHz: speeds: 1000 800 600 MHz
Sep 17 14:29:06 temp /bsd: pci0 at mainbus0 bus 0
Sep 17 14:29:06 temp /bsd: pchb0 at pci0 dev 0 function 0 "AMD AMD64
16h Root Complex" rev 0x00
Sep 17 14:29:06 temp /bsd: pchb1 at pci0 dev 2 function 0 "AMD AMD64
16h Host" rev 0x00
Sep 17 14:29:06 temp /bsd: ppb0 at pci0 dev 2 function 2 "AMD AMD64
16h PCIE" rev 0x00: msi
Sep 17 14:29:06 temp /bsd: pci1 at ppb0 bus 1
Sep 17 14:29:06 temp /bsd: em0 at pci1 dev 0 function 0 "Intel I210"
rev 0x03: msi, address 00:0d:b9:53:2e:f8
Sep 17 14:29:06 temp /bsd: ppb1 at pci0 dev 2 function 3 "AMD AMD64
16h PCIE" rev 0x00: msi
Sep 17 14:29:06 temp /bsd: pci2 at ppb1 bus 2
Sep 17 14:29:06 temp /bsd: em1 at pci2 dev 0 function 0 "Intel I210"
rev 0x03: msi, address 00:0d:b9:53:2e:f9
Sep 17 14:29:06 temp /bsd: ppb2 at pci0 dev 2 function 4 "AMD AMD64
16h PCIE" rev 0x00: msi
Sep 17 14:29:06 temp /bsd: pci3 at ppb2 bus 3
Sep 17 14:29:06 temp /bsd: em2 at pci3 dev 0 function 0 "Intel I210"
rev 0x03: msi, address 00:0d:b9:53:2e:fa
Sep 17 14:29:06 temp /bsd: ccp0 at pci0 dev 8 function 0 "AMD AMD64
16h Crypto" rev 0x00
Sep 17 14:29:06 temp /bsd: xhci0 at pci0 dev 16 function 0 "AMD Bolton
xHCI" rev 0x11: msi, xHCI 1.0
Sep 17 14:29:06 temp /bsd: usb0 at xhci0: USB revision 3.0
Sep 17 14:29:06 temp /bsd: uhub0 at usb0 configuration 1 interface 0
"AMD xHCI root hub" rev 3.00/1.00 addr 1
Sep 17 14:29:06 temp /bsd: ahci0 at pci0 dev 17 function 0 "AMD
Hudson-2 SATA" rev 0x40: apic 4 int 19, AHCI 1.3
Sep 17 14:29:06 temp /bsd: ahci0: port 0: 6.0Gb/s
Sep 17 14:29:06 temp /bsd: scsibus1 at ahci0: 32 targets
Sep 17 14:29:06 temp /bsd: sd0 at scsibus1 targ 0 lun 0: <ATA, SATA
SSD, SBFM> naa.0000000000000000
Sep 17 14:29:06 temp /bsd: sd0: 15272MB, 512 bytes/sector, 31277232
sectors, thin
Sep 17 14:29:06 temp /bsd: ehci0 at pci0 dev 19 function 0 "AMD
Hudson-2 USB2" rev 0x39: apic 4 int 18
Sep 17 14:29:06 temp /bsd: usb1 at ehci0: USB revision 2.0
Sep 17 14:29:06 temp /bsd: uhub1 at usb1 configuration 1 interface 0
"AMD EHCI root hub" rev 2.00/1.00 addr 1
Sep 17 14:29:06 temp /bsd: piixpm0 at pci0 dev 20 function 0 "AMD
Hudson-2 SMBus" rev 0x42: SMBus disabled
Sep 17 14:29:06 temp /bsd: pcib0 at pci0 dev 20 function 3 "AMD
Hudson-2 LPC" rev 0x11
Sep 17 14:29:06 temp /bsd: sdhc0 at pci0 dev 20 function 7 "AMD Bolton
SD/MMC" rev 0x01: apic 4 int 16
Sep 17 14:29:06 temp /bsd: sdhc0: SDHC 2.0, 50 MHz base clock
Sep 17 14:29:06 temp /bsd: sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc
high-speed, dma
Sep 17 14:29:06 temp /bsd: pchb2 at pci0 dev 24 function 0 "AMD AMD64
16h Link Cfg" rev 0x00
Sep 17 14:29:06 temp /bsd: pchb3 at pci0 dev 24 function 1 "AMD AMD64
16h Address Map" rev 0x00
Sep 17 14:29:06 temp /bsd: pchb4 at pci0 dev 24 function 2 "AMD AMD64
16h DRAM Cfg" rev 0x00
Sep 17 14:29:06 temp /bsd: km0 at pci0 dev 24 function 3 "AMD AMD64
16h Misc Cfg" rev 0x00
Sep 17 14:29:06 temp /bsd: pchb5 at pci0 dev 24 function 4 "AMD AMD64
16h CPU Power" rev 0x00
Sep 17 14:29:06 temp /bsd: pchb6 at pci0 dev 24 function 5 "AMD AMD64
16h Misc Cfg" rev 0x00
Sep 17 14:29:06 temp /bsd: isa0 at pcib0
Sep 17 14:29:06 temp /bsd: isadma0 at isa0
Sep 17 14:29:06 temp /bsd: com0 at isa0 port 0x3f8/8 irq 4: ns16550a,
16 byte fifo
Sep 17 14:29:06 temp /bsd: com0: console
Sep 17 14:29:06 temp /bsd: com1 at isa0 port 0x2f8/8 irq 3: ns16550a,
16 byte fifo
Sep 17 14:29:06 temp /bsd: pcppi0 at isa0 port 0x61
Sep 17 14:29:06 temp /bsd: spkr0 at pcppi0
Sep 17 14:29:06 temp /bsd: lpt0 at isa0 port 0x378/4 irq 7
Sep 17 14:29:06 temp /bsd: wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x53
Sep 17 14:29:06 temp /bsd: vmm0 at mainbus0: SVM/RVI
Sep 17 14:29:06 temp /bsd: uhub2 at uhub1 port 1 configuration 1
interface 0 "Advanced Micro Devices product 0x7900" rev 2.00/0.18 addr
2
Sep 17 14:29:06 temp /bsd: vscsi0 at root
Sep 17 14:29:06 temp /bsd: scsibus2 at vscsi0: 256 targets
Sep 17 14:29:06 temp /bsd: softraid0 at root
Sep 17 14:29:06 temp /bsd: scsibus3 at softraid0: 256 targets
Sep 17 14:29:06 temp /bsd: root on sd0a (45756a429a5000c8.a) swap on
sd0b dump on sd0b
Sep 17 14:29:06 temp sendsyslog: dropped 2 messages, error 57, pid 6195
Sep 17 14:29:08 temp isakmpd[5551]: isakmpd: starting
Sep 17 14:29:08 temp isakmpd[56597]: conf_reinit:
open("/etc/isakmpd/isakmpd.conf", O_RDONLY, 0) failed: Permission
denied
Sep 17 14:29:09 temp savecore: /dev/sd0b: Device not configured
Sep 17 14:29:11 temp isakmpd[56597]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Sep 17 14:29:12 temp isakmpd[56597]: responder_recv_HASH_SA_NONCE:
peer proposed invalid phase 2 IDs: initiator id SUBNET1/255.255.0.0,
responder id local-subnet/255.255.255.0
Sep 17 14:29:12 temp isakmpd[56597]: dropped message from HQ-Public-IP
port 500 due to notification type INVALID_ID_INFORMATION
Sep 17 14:29:13 temp reorder_kernel: failed -- see
/usr/share/relink/kernel/GENERIC.MP/relink.log
--
Kindest regards,
Tom Smyth.
