Re: isakmpd gateway-to-gateway VPN woes...

Thu, 22 Mar 2007 16:17:03 -0800 

Do your firewalls forward ip 4?

sysctl net.inet.ip.forwarding=1


Jack Bates wrote:

If you can help, please feel free to CC: me directly:
[EMAIL PROTECTED]

My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN
working with OpenBSD-4.0-stable isakmpd.  Both firewalls have a relatively
unaltered install.  Both firewalls still have pf, ipsec and isakmpd_flags
"unset" in rc.conf (we are configuring and starting manually - is this a
problem?).  We have followed the directions from the "Zero to IPSec on 4
minutes" webpage.  I hope that this error report is thorough.

Here is a picture of the configuration:

               10.0.0.2/24 --- 10.0.0.1/24
    L1             F1               F2             L2
10.4.14.1 --- 10.4.12.1/22     10.2.12.1/22 --- 10.2.14.1

L1,L2 - laptops
F1,F2 - Soekris net4801 firewalls

What works:

L1-F1 lan communication
L2-F2 lan communication
F1-F2 lan communication
F1-F2 IPSec communication (evidenced by F1 running "ping 10.0.0.1" and
seeing only esp packets in tcpdump)

What doesn't work:

F1-L2 gateway'd VPN
F2-L1 gateway'd VPN
L1-L2 gateway-to-gateway'd VPN

What is interesting is that the routing tables have a section named
"Encap:" that seem to contain valid routes for the flows that do not work
above, but when attempting to use "ping" on addresses on a broken flow we
get "No route to host".  This has got to be something simple. Thanks in
advance for your help.

Here are the pf.conf files from both firewalls:

###########
F1: pf.conf
###########

# jack
ext_if="sis0"
int_if="sis1"
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.1
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

###########
F2: pf.conf
###########

# sabino
ext_if="sis0"
int_if="sis1"
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.2
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

##############
F1: ipsec.conf
##############

# jack to sabino
sabino_ext = "10.0.0.1"
sabino_int = "10.2.12.0/22"
jack_ext   = "10.0.0.2"
jack_int   = "10.4.12.0/22"
ike esp from $jack_int to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_ext

##############
F2: ipsec.conf
##############

# sabino to jack
sabino_ext="10.0.0.1"
sabino_int="10.2.12.0/22"
jack_ext="10.0.0.2"
jack_int="10.4.12.0/22"
ike passive esp from $sabino_int to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_ext

###############################################################
F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###############################################################

# isakmpd -K -d -v
164953.991350 Default isakmpd: phase 1 done: initiator id 0a000002:
10.0.0.2, responder id 0a000001: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1
164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
165058.199701 Default isakmpd: shutting down...
165058.219397 Default isakmpd: exit

###############################################################
F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###############################################################

# isakmpd -K -d -v
171251.878157 Default isakmpd: phase 1 done: initiator id 0a000002:
10.0.0.2, responder id 0a000001: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2
171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171356.739110 Default isakmpd: shutting down...
171356.741411 Default isakmpd: exit

##################################################
F1: routing table after isakmpd negotiates tunnels
##################################################

# ipsecctl -f /etc/ipsec.conf
# netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface 
10.0.0/24          link#1             UC          1        0      -   sis0
10.0.0.1           00:00:24:c8:1d:60  UHLc        2      125      -   sis0
10.4.12/22         link#2             UC          1        0      -   sis1
10.4.14.1          00:e0:00:c2:6e:2c  UHLc        4      644      -   sis1
10.4.16/22         link#3             UC          0        0      -   sis2
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          1        4  33224   lo0
224/4              127.0.0.1          URS         0        0  33224   lo0

Internet6:
...abbreviated - irrelevant...

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
10.0.0.1/32        0     10.0.0.2/32        0     0     10.0.0.1/esp/use/in
10.0.0.2/32 0 10.0.0.1/32 0 0 10.0.0.1/esp/require/out 
10.2.12/22         0     10.4.12/22         0     0     10.0.0.1/esp/use/in
10.4.12/22 0 10.2.12/22 0 0 10.0.0.1/esp/require/out 
10.2.12/22         0     10.0.0.2/32        0     0     10.0.0.1/esp/use/in
10.0.0.2/32 0 10.2.12/22 0 0 10.0.0.1/esp/require/out 

##################################################
F2: routing table after isakmpd negotiates tunnels
##################################################

# ipsecctl -f /etc/ipsec.conf
# netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface 
10.0.0/24          link#1             UC          1        0      -   sis0
10.0.0.2           00:00:24:c8:1d:5c  UHLc        1       11      -   sis0
10.1.10.46         127.0.0.1          UGHS        0        0  33224   lo0
10.2.12/22         link#2             UC          1        0      -   sis1
10.2.14.1          00:06:5b:d5:a8:a5  UHLc        3      680      -   sis1
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          2        0  33224   lo0
224/4              127.0.0.1          URS         0        0  33224   lo0

Internet6:
...abbreviated - irrelevant...

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
10.0.0.2/32        0     10.0.0.1/32        0     0     10.0.0.2/esp/use/in
10.0.0.1/32 0 10.0.0.2/32 0 0 10.0.0.2/esp/require/out 
10.4.12/22         0     10.2.12/22         0     0     10.0.0.2/esp/use/in
10.2.12/22 0 10.4.12/22 0 0 10.0.0.2/esp/require/out 
10.0.0.2/32        0     10.2.12/22         0     0     10.0.0.2/esp/use/in
10.2.12/22 0 10.0.0.2/32 0 0 10.0.0.2/esp/require/out 

#########################
F1: attempting to ping L2
#########################

# ping 10.2.12.1
PING 10.2.12.1 (10.2.12.1): 56 data bytes
ping: sendto: No route to host
ping: wrote 10.2.12.1 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 10.2.12.1 64 chars, ret=-1
--- 10.2.12.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

#########################
F2: attempting to ping L1
#########################

# ping 10.4.14.1
PING 10.4.14.1 (10.4.14.1): 56 data bytes
ping: sendto: No route to host
ping: wrote 10.4.14.1 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 10.4.14.1 64 chars, ret=-1
--- 10.4.14.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

CHEERS!

Reply via email to