OpenBSD 4.3.
I'm trying to get a couple IPSec VPNs up and am running into
increasingly bizarre behavior in my test environment. The current
issue is that packets are being sent encoded with the wrong SPI.
Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16.
Router B has one interface: 10.123.0.48/24.
I can get A and B encrypting traffic between 10.123.0.46 and
10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16
the SPIs start getting mixed up. Specifically, pings from 10.123.0.46
(A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to
eliminate isakmpd as a source of other issues (that were probably my
fault somehow). The keys are the defaults included in the ipsec.conf
example since this is a test environment.
Here is router A's ipsec.conf:
--
flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
10.123.0.48 type require
esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001
authkey
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001
authkey
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
--
Output from router A's ipsecctl -sa looks like you would expect:
--
FLOWS:
flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require
flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer
10.123.0.48 type require
flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
10.123.0.48 type require
SAD:
esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth
hmac-sha2-256 enc aes
esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth
hmac-sha2-256 enc aes
esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth
hmac-sha2-256 enc aes
esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth
hmac-sha2-256 enc aes
--
Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and
tcpdump -i enc0 shows this:
--
tcpdump: listening on enc0, link-type ENC
09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46
> 10.123.0.48: icmp: echo request (encap)
09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46
> 10.123.0.48: icmp: echo request (encap)
09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46
> 10.123.0.48: icmp: echo request (encap)
09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46
> 10.123.0.48: icmp: echo request (encap)
--
Which is clearly the wrong SPI. If I try to ping in the reverse
direction, B sends its packets with the correct SPI while the replies
are encoded for 0x00010004. Removing the subnet lines from ipsec.conf
corrects this issue.
Is this a bug in IPsec or something I'm doing wrong?
Thanks for the help. dmesg follows.
-HKS
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz ("GenuineIntel"
686-class) 2.33 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL
real mem = 267939840 (255MB)
avail mem = 251031552 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @
0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 12/06/2006
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xc9000/0x1000
0xdc000/0x4000! 0xe0000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive>
wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <HC2281Q, NCF700G, 1.01> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x00: irq 9
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled
vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: irq 11
scsibus1 at mpi0: 16 targets
ppb1 at pci0 dev 17 function 0 "VMware Virtual PCI-PCI bridge" rev 0x01
pci2 at ppb1 bus 2
vic0 at pci2 dev 0 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 10,
address 00:0c:29:a3:72:c2
eap0 at pci2 dev 1 function 0 "Ensoniq AudioPCI97" rev 0x02: irq 9
ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3)
audio0 at eap0
midi0 at eap0: <AudioPCI MIDI UART>
ehci0 at pci2 dev 2 function 0 "VMware Virtual EHCI" rev 0x00: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "VMware EHCI root hub" rev 2.00/1.00 addr 1
vic1 at pci2 dev 3 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 11,
address 00:0c:29:a3:72:cc
isa0 at piixpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi1 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
biomask eb65 netmask ef65 ttymask ffe7
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
