> -----Urspr|ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Im Auftrag von Rod Whitworth > Gesendet: Mittwoch, 29. Oktober 2008 07:47 > An: OpenBSD general usage list > Betreff: Re: How to debug IPSec and PF problem > > > On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote: > > >Hi all, > > > >I've got a VPN running between two networks. Works fine for > basically > >everything and very easy to setup, kudos to the guys that worked on > >ipsecctl and isakmpd. > > > >I have one problem though that I am trying to debug. > > > >Network looks like this: > > > >192.168.11.250 # Asterisk1 > > | > > | > >192.168.11.1 # OpenBSD1 4.3 > > | > > | # VPN > > | > >192.168.4.1 # OpenBSD2 4.3 > > | > > | > >192.168.4.250 # Asterisk2 > > > >Firstly, I can ssh from any box to any box over the VPN. This works > >fine. So the basic VPN is functional. > > > >Secondly, 192.168.4.1 has several different routes out of it and a > >fairly complex setup in pf.conf and this is what I think I have > >misconfigured. > > > >I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2. > > > >The traffic is running and I get the traffic flowing from one end to > >the other, but return traffic is getting blocked or misrouted. > > > >Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250 > >arriving and packets from 192.168.4.250 leaving. > > > >Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250 > >arriving and packets from 192.168.4.250 leaving. > > > >Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets. > > > >Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets. > > > >I have disabled any firewalls on both asterisk boxes, but > this makes no > >change. > > > >Disabling pf on the 192.168.11.1 box makes no change. > > > >I can't disable pf on 192.168.4.1 right now (could schedule a time > >later) > > > >I believe the problem is somewhere in 192.168.4.1's pf.conf or route > >table. > > > >Now, I know this email contains no where near all the data needed to > >debug this by someone on list, but I want to work it out > myself and I > >have a few questions. > > > >1) Is the ipsec tunnel just treated like a standard interface by PF? > > > >2) how and when does the ipsec tunnel grab packets to send > through the > >tunnel? I can't see any route entries or the like. I assume it > >attaches somehow the same way PF does and intercepts packets. > > > >And probably most importantly: > > > >3) What is the best way to find what rule in PF is matching > the IAX UDP > >packet stream? I'm not getting anywhere with eyeballing it. > > > >If I can find how the packet is moving through the stack, I > am sure I > >can fix the darn thing. > > > >Thanks > > > >Mikel > > > > > By your statement "I can ssh from any box to any box over the > VPN." I understand you to mean from any LAN host at either > end to any LAN host at the other. Is that correct? > > If so why would traffic from one LAN host at the 192.168.4. > end be any different to the others? There is nothing magic > about asterisk. > > I suggest that you traceroute from 192.168.4.250 to the other > asterisk and see just where those packets go. I have a funny > feeling they are heading out to the cloud naked rather than > through IPsec. Of course if that is true there will be no > reply after they hit the $ext_if in the near-end router. > > I don't know how you would manage to get this situation > without screwing up the other hosts on the same LAN but then > you have not shown any configurations at all so I have to use > my personal ESP which has less than 6/6 vision. > > FYI your inet routing table gives no hint to packets as to > which path to choose involving IPsec. If they don't match > your ipsec.conf they don't go up the tunnel. > > If you need more help you need to supply more info. > > /R > > *** NOTE *** Please DO NOT CC me. I <am> subscribed to the > list. Mail to the sender address that does not originate at > the list server is tarpitted. The reply-to: address is > provided for those who feel compelled to reply off list. Thankyou. > > Rod/ > /earth: write failed, file system is full > cp: /earth/creatures: No space left on device > > Hi,
I think 1. netstat -rn -f encap should show 2 entries for your IPSEC tunnel, one for each direction. 2. tcpdump -lenvvvi pflog0 will show packets being blocked are let pass including the number of the rule which was applied ( if you have logging enabled in your pf.conf ) 3. tcpdump on the other interfaces of your bsd boxed might help to discover the missing packets ( if, as Rod suspects, they are just routed into the cloud ). Regards Christoph
