Hi all

I'v looked through what documentation I could find, but didn't find this case mentioned, so I assumed it would work (which it doesn't):

I have an OBSD 4.1 vpn gateway (A) with only one interface, over which the default route points out and over which the packets to forward through the tunnel arrive. The other gateway is a "regular" 2-interface OBSD 4.1 gateway (B).

Here's the layout:

Internal Net -- <NAT router A> -- VPN gateway A
                    &
                 Internet
                    &
                <NAT router B>
                    &
               VPN gateway B
                    &
              Destination Net

The tunnel seemingly does get created without any errors, but when packets pass through the tunnel, the remote gateway sends them right back. Also, on both gateways, 4 flows and 4 SADs get created, instead of 2 each, as I'd expect:

# ipsecctl -s all
FLOWS:
flow esp in from <Internal Net> to <Destination Net> peer <VPN Gateway B> srcid <fqdn A> dstid <fqdn B> type use flow esp out from <Destination Net> to <Internal Net> peer <VPN Gateway B> srcid <fqdn A> dstid <fqdn B> type require flow esp in from <Destination Net> to <Internal Net> peer <VPN Gateway B> srcid <fqdn A> dstid <fqdn B> type use flow esp out from <Internal Net> to <Destination Net> peer <VPN Gateway B> srcid <fqdn A> dstid <fqdn B> type require

SAD:
esp tunnel from <VPN Gateway B> to <VPN Gateway A> spi 0xADEADBEEF auth hmac-sha2-256 enc aes esp tunnel from <VPN Gateway B> to <VPN Gateway A> spi 0xBDEADBEEF auth hmac-sha2-256 enc aes esp tunnel from <VPN Gateway A> to <VPN Gateway B> spi 0xCDEADBEEF auth hmac-sha2-256 enc aes esp tunnel from <VPN Gateway A> to <VPN Gateway B> spi 0xDDEADBEEF auth hmac-sha2-256 enc aes

Thus, contradicting routes get added to the kernel routing tables:

gateway B:

Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction) <Internal Net> 0 <Destination Host> 0 0 NAT router A/esp/use/in <Destination Host> 0 <Internal Net> 0 0 NAT router A/esp/require/out <Destination Host> 0 <Internal Net> 0 0 NAT router A/esp/use/in <Internal Net> 0 <Destination Host> 0 0 NAT router A/esp/require/out



ipsec.conf on A:
ike esp from <Internal Net> to <Destination Net> peer <VPN Gateway B> srcid <fqdn A> ike esp from <Destination Net> to <Internal Net> peer <VPN Gateway B> srcid <fqdn A>

ipsec.conf on B:
ike passive esp tunnel from any to <Destination Net> srcid <fqdn B>
ike passive esp tunnel from <Destination Net> to any srcid <fqdn B>


A tcpdump on enc0 of both gateways shows the packets looping between the two gateways until ttl == 1.

Can anybody tell me if this is supposed to work at all? Does anyone see an obvious flaw? I'm really lost at why the gateways add flows and routes in both directions...


thx /markus

Reply via email to