Re: after upgrade to 6.9, iked does not pass traffic

Thu, 27 May 2021 19:12:52 -0700 


I have a vpn from a Windows machine to a network behind an OpenBSD router. It 
was working fine until I upgraded the router to 6.9 (amd64).
The VPN is still coming up fine, but the traffic is blocked somehow. Using 
tcpdump on the interface protected by the router (vlan0 in my case), I see the 
ping requests from the remote vpn address, and the ping replies, but on enc0 I 
only see the requests. I confirmed that pf is not blocking packets.

doas tcpdump -nni enc0
tcpdump: listening on enc0, link-type ENC
08:48:05.289341 (authentic,confidential): SPI 0x11aad700: 192.168.9.208 > 
192.168.9.101: icmp: echo request (encap)
08:48:09.914843 (authentic,confidential): SPI 0x11aad700: 192.168.9.208 > 
192.168.9.101: icmp: echo request (encap)
08:48:14.914988 (authentic,confidential): SPI 0x11aad700: 192.168.9.208 > 
192.168.9.101: icmp: echo request (encap)
08:48:19.915348 (authentic,confidential): SPI 0x11aad700: 192.168.9.208 > 
192.168.9.101: icmp: echo request (encap)
^C
4 packets received by filter
0 packets dropped by kernel

tcpdump -nni vlan0 host 192.168.9.208
tcpdump: listening on vlan0, link-type EN10MB
09:12:21.467671 192.168.9.208 > 192.168.9.101: icmp: echo request
09:12:21.468371 arp who-has 192.168.9.208 tell 192.168.9.101
09:12:21.468386 arp reply 192.168.9.208 is-at ec:eb:b8:5d:94:a0
09:12:21.468937 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:21.468961 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:26.410587 192.168.9.208 > 192.168.9.101: icmp: echo request
09:12:26.411144 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:26.411168 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:31.414257 192.168.9.208 > 192.168.9.101: icmp: echo request

It looks like 'keep state (if-bound)' iked.conf(5) is not present or being 
respected on the return traffic to the VPN device/firewall from your internal 
network.  ICMP traffic is coming into the VPN device encrypted, being decrypted 
and passed to the destination.  The destination responds back but the VPN 
device is not taking those responses and pushing them back through enc0.

We have updated a number of IKEv2 devices already without issue.  Our testing 
environment where we are trying out different configurations and scenarios also 
working fine.

Cheers,

Jason.























					Reply via email to