Re: Wrong source address of outgoing ESP packets (IKEv1)

[Dev Op]

I found a problem! I very sorry. I didn't pay attention to outgoing NAT
rules and tagging outside the internal network.

pass out quick on egress tagged OUT nat-to X.X.X.3
pass in quick on { $prod_if $mgmt_if } from <internet> to !<rfc1918> tag OUT

Sorry again. I'm inconsiderate. :(

чт, 19 нояб. 2020 г. в 20:45, Dev Op <dsd7...@gmail.com>:

> Hello all!
>
> I'm trying to create an IPSec (IKEv1) tunnel from my router to foreign
> host. I've got FLOWS and SAD records for foreign host, everything might be
> ok but esp packets go from the wrong IP address.
>
> Configuration (sorry I need to hide my real net):
>
> Foreign router:
> Y.Y.Y.Y/24 - foreign network with a public IP addresses:
> .1 - VPN peer
> .2 - Application server
>
> My router:
> bge0: X.X.X.1/28 - external subnet
> carp1: X.X.X.3/28 (master) - meanwhile I have no slave yet
>            X.X.X.4/28 - alias for IPSec
> vlan12: 10.0.12.1/24 - internal subnet
>
> # cat /etc/isakmpd/isakmpd.conf
> [General]
> Listen-on=X.X.X.4
> Retransmits=32
> Exchange-max-time=240
> DPD-check-interval=30
> Default-phase-1-lifetime=86400,60:86400
> Default-phase-2-lifetime=86400,60:86400
>
> # cat /etc/ipsec.conf
> ike active esp from 10.0.12.12 to Y.Y.Y.2 local X.X.X.4 peer Y.Y.Y.1 \
>     main auth hmac-sha1 enc 3des group modp1024 lifetime 24h \
>     quick auth hmac-sha1 enc 3des group none lifetime 8h \
>     psk "verysecret"
>
> # ipsecctl -Fd
> # isakmpd -4K
> # ipsecctl -f /etc/ipsec.conf
> # netstat -an | grep -w 500
> udp          0      0  X.X.X.4.500       *.*
>
> # ipsecctl -sa
> FLOWS:
> flow esp in from Y.Y.Y.2 to 10.0.12.12 peer Y.Y.Y.1 srcid X.X.X.4/32 dstid
> Y.Y.Y.1/32 type use
> flow esp out from 10.0.12.12 to Y.Y.Y.2 peer Y.Y.Y.1 srcid X.X.X.4/32
> dstid Y.Y.Y.1/32 type require
>
> SAD:
> esp tunnel from Y.Y.Y.1 to X.X.X.4 spi 0x703bdd15 auth hmac-sha1 enc
> 3des-cbc
> esp tunnel from X.X.X.4 to Y.Y.Y.1 spi 0x9163f209 auth hmac-sha1 enc
> 3des-cbc
>
> Now I try to telnet from internal subnetwork:
> node4# telnet -b 10.0.12.12 Y.Y.Y.2 12000
> Trying Y.Y.Y.2...
> ^C
>
> Now checkout router:
>
> # tcpdump -ni enc0 host Y.Y.Y.1
> tcpdump: listening on enc0, link-type ENC
> 17:19:25.664514 (authentic,confidential): SPI 0x9163f209: 10.0.12.12.41013
> > Y.Y.Y.2.12000: S 3062295815:3062295815(0) win 29200 <mss
> 1440,sackOK,timestamp 2280702669 0,nop,wscale 7> [tos 0x10] (encap)
> 17:19:26.725920 (authentic,confidential): SPI 0x9163f209: 10.0.12.12.41013
> > Y.Y.Y.2.12000: S 3062295815:3062295815(0) win 29200 <mss
> 1440,sackOK,timestamp 2280703730 0,nop,wscale 7> [tos 0x10] (encap)
>
> And things goes crazy if you look at the source address of esp packets:
>
> # tcpdump -ni bge0 host Y.Y.Y.1
> tcpdump: listening on bge0, link-type EN10MB
> 17:19:23.398060 Y.Y.Y.1.500 > X.X.X.4.500: isakmp v1.0 exchange INFO
> encrypted
>         cookie: 28259647556726a3->2772360ab1b13794 msgid: f4395193 len: 92
> 17:19:25.664623 X.X.X.3 > Y.Y.Y.1: esp spi 0x9163f209 seq 192 len 92 [tos
> 0x10]
> 17:19:26.725975 X.X.X.3 > Y.Y.Y.1: esp spi 0x9163f209 seq 193 len 92 [tos
> 0x10]
> 17:19:28.414920 X.X.X.4.500 > Y.Y.Y.1.500: isakmp v1.0 exchange INFO
> encrypted
>         cookie: 28259647556726a3->2772360ab1b13794 msgid: 167f5770 len: 84
> 17:19:28.418532 Y.Y.Y.1.500 > X.X.X.4.500: isakmp v1.0 exchange INFO
> encrypted
>         cookie: 28259647556726a3->2772360ab1b13794 msgid: 00e63d21 len: 92
>
> What I forgot? :( Why does OpenBSD (I guess iksampd) choose the first
> address of the CARP interface, not that I specified for VPN only in case of
> ESP packets? I must admit, that I also have a second VPN connection where
> FLOW works well with tunnel address from the private destination network
> and ESP packets go from right address X.X.X.4 on external interface. I
> think this problem somehow occurs due to a public address which was
> specified by foreign service provider that I have to use in the tunnel.
>
> My packet filter ruleset:
>
> set block-policy drop
> set skip on { lo enc0 }
> ...
> # IPSec
> pass out quick on egress proto udp from X.X.X.4 to <ipsec> port { isakmp,
> ipsec-nat-t }
> pass out quick on egress proto esp from X.X.X.4 to <ipsec>
> pass in quick on egress proto udp from <ipsec> to X.X.X.4 port { isakmp,
> ipsec-nat-t }
> pass in quick on egress proto esp from <ipsec> to X.X.X.4
>
> Thanks for any help.
>
> Regards,
> Den
>


-- 
С уважением,
Денис

*Это сообщение и любые документы, приложенные к нему, содержат
конфиденциальную информацию. Уведомляем Вас о том, что использование,
копирование, распространение информации, содержащейся в настоящем
сообщении, запрещено.*