On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote: >Hi all, > >I've got a VPN running between two networks. Works fine for basically >everything and very easy to setup, kudos to the guys that worked on >ipsecctl and isakmpd. > >I have one problem though that I am trying to debug. > >Network looks like this: > >192.168.11.250 # Asterisk1 > | > | >192.168.11.1 # OpenBSD1 4.3 > | > | # VPN > | >192.168.4.1 # OpenBSD2 4.3 > | > | >192.168.4.250 # Asterisk2 > >Firstly, I can ssh from any box to any box over the VPN. This works >fine. So the basic VPN is functional. > >Secondly, 192.168.4.1 has several different routes out of it and a >fairly complex setup in pf.conf and this is what I think I have >misconfigured. > >I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2. > >The traffic is running and I get the traffic flowing from one end to >the other, but return traffic is getting blocked or misrouted. > >Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250 >arriving and packets from 192.168.4.250 leaving. > >Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250 >arriving and packets from 192.168.4.250 leaving. > >Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets. > >Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets. > >I have disabled any firewalls on both asterisk boxes, but this makes no change. > >Disabling pf on the 192.168.11.1 box makes no change. > >I can't disable pf on 192.168.4.1 right now (could schedule a time later) > >I believe the problem is somewhere in 192.168.4.1's pf.conf or route table. > >Now, I know this email contains no where near all the data needed to >debug this by someone on list, but I want to work it out myself and I >have a few questions. > >1) Is the ipsec tunnel just treated like a standard interface by PF? > >2) how and when does the ipsec tunnel grab packets to send through the >tunnel? I can't see any route entries or the like. I assume it >attaches somehow the same way PF does and intercepts packets. > >And probably most importantly: > >3) What is the best way to find what rule in PF is matching the IAX >UDP packet stream? I'm not getting anywhere with eyeballing it. > >If I can find how the packet is moving through the stack, I am sure I >can fix the darn thing. > >Thanks > >Mikel >
By your statement "I can ssh from any box to any box over the VPN." I understand you to mean from any LAN host at either end to any LAN host at the other. Is that correct? If so why would traffic from one LAN host at the 192.168.4. end be any different to the others? There is nothing magic about asterisk. I suggest that you traceroute from 192.168.4.250 to the other asterisk and see just where those packets go. I have a funny feeling they are heading out to the cloud naked rather than through IPsec. Of course if that is true there will be no reply after they hit the $ext_if in the near-end router. I don't know how you would manage to get this situation without screwing up the other hosts on the same LAN but then you have not shown any configurations at all so I have to use my personal ESP which has less than 6/6 vision. FYI your inet routing table gives no hint to packets as to which path to choose involving IPsec. If they don't match your ipsec.conf they don't go up the tunnel. If you need more help you need to supply more info. /R *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
