an idea to implement in bgpd/bgpctl

[Gregory Edigarov]

Hello misc@,

How about having something like explain prefix command for bgpctl?
If given it should pass the prefix through the bgp path selection
algorithm showing WHY this or another path was selected.
I mean one can always follow the 13 steps in the mind, but I would
prefer having that done by machine.

What do you think?


-- 
With best regards,
Gregory Edigarov

Re: 5.0 Stable (amd64) build appears broken.

[Stuart Henderson]

On 2012-02-21, Duncan Patton a Campbell campb...@neotext.ca wrote:
 read and weap.  i did.  when you do a cd install, it puts 
 src (sys), and xenocara in /usr.  that primes the src/sys
 tree.  if you then _move_ those trees out of the way entirely,
 and do a cvs checkout of the whole tree, well that what *I* saw
 anyways.

primes? it just creates empty directories. I think this is a
permissions problem. I saw a similar problem building a release
(i.e. root needs to write to compile/) on NFS without -maproot.

Re: How to deal with DDoS ?

[Rudolf Leitgeb]

Am Mittwoch, 22. Februar 2012, 08:36:49 schrieb Jan Stary:
  $ sysctl net.inet.udp.{recvspace,sendspace}
  net.inet.udp.recvspace=131072
  net.inet.udp.sendspace=131072
 
 I don't think it's gonna help with handling a DDOS, anyway.

Especially not in this particular case. He drops UDP anyway and 
reportedly fights a SYN flood attack.

Re: How to deal with DDoS ?

[Stuart Henderson]

On 2012-02-21, Hassan Monfared hmonfa...@gmail.com wrote:
 Hi,
 have you tried to set some tuning options in pf.conf  sysctl.conf ?
 eg:
 for sysctl.conf:
 net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length
 (256*number of physical interfaces)
 kern.bufcachepercent=90# Allow the kernel to use up to 90% of the
 RAM for cache (default 10%)
 net.inet.udp.recvspace=131072 # Increase based on your memory
 net.inet.udp.sendspace=131072 # Increase based on your memory
 ddb.panic=0# do not enter ddb console on kernel panic,
 reboot if possible , this reduces headache

These have nothing to do with state overflow (except raising
bufcachepercent will leave less space for states..)

 for pf.conf :
 set optimization aggressive

May possibly help (or you can set state limits per-rule; *very*
tight ones might be appropriate for the attack traffic).

Re: How to deal with DDoS ?

[Roger S.]

On Tue, Feb 21, 2012 at 9:51 PM, Joachim Schipper
joac...@joachimschipper.nl wrote:
 Just the most obvious idea, since you mention that this sort-of-works if
 you put block drop in quick from !whitelisted_users: does it handle
 this load if you turn off pf, or only include one or two trivial rules?

Did not try to turn off pf (I need it anyway), and my pf.conf is very
simple and already optimized following the good book of pf and some
undeadly posts.

 It certainly suggests that you may be well-served by optimizing your
 pf.conf... (also, you've probably found the synproxy directive? If
 not, try that too.)

I already use synproxy, the problem is that I get so much SYN that
pf/state table collapses.

 Also, state tracking is apparently faster than stateless pf for normal
 firewalls. I'd double-check if this is still true in your case, though;
 if nothing else, stateless pf makes a CARP'ed setup easier.

I am not sure to understand here. I want to use synproxy to protect my
backend servers, so I need state stracking.

 I'm pretty sure you can muck with the rules without dropping existing
 connections. (pf essentially does does this packet match a known state?
 If not, look at pf.conf.) This is almost certainly easier than your
 proposed daemon.

Sure thing, the daemon is only a workaround to provide degraded but
working service when under attack.

 A final, rather hackish, idea that probably does need a bit of
 programming: greylisting for SYNs. Legitimate users will send you a
 second SYN, so you could do something like (this has not even been
 syntax-checked!)
  block drop log in quick from !syn_seen no state flags S/SA

I like the idea. This may need some programming indeed, but it seems
even better than my idea. Thanks, I'll take a look at this.

 and then add every logged IP to syn_seen. Obviously, this will slow down
 access to the service for legitimate users, which may or may not be
 acceptable.

We are speaking of a slower but working service, or no service at all.
I prefer the first alternative :)

Re: How to deal with DDoS ?

[Henning Brauer]

can people please stop suggesting to push random buttons they don't
understand?
this is a prime ewxample.

* Hassan Monfared hmonfa...@gmail.com [2012-02-22 00:22]:
 Hi,
 have you tried to set some tuning options in pf.conf  sysctl.conf ?
 eg:
 for sysctl.conf:
 net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length
 (256*number of physical interfaces)

that rule of thumb is at least inaccurate. i'm pretty certain i
explained the details before and am getting tired of repeating myself
over and over.

 kern.bufcachepercent=90# Allow the kernel to use up to 90% of the
 RAM for cache (default 10%)

that is entirely useless on a firewall.

 net.inet.udp.recvspace=131072 # Increase based on your memory
 net.inet.udp.sendspace=131072 # Increase based on your memory

that is
a) obsoleted by the autosizing
b) entirely useless for not locally terminated connections anyway

I gave the OP some input in private mail which I don't think belongs in
public. There is no one-size-fits-all recipe for dealing with DDoS.

And I certainly don't want to teach people how to make better DDoS
attacks.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: an idea to implement in bgpd/bgpctl

[Henning Brauer]

* Gregory Edigarov g...@bestnet.kharkov.ua [2012-02-22 09:08]:
 How about having something like explain prefix command for bgpctl?
 If given it should pass the prefix through the bgp path selection
 algorithm showing WHY this or another path was selected.
 I mean one can always follow the 13 steps in the mind, but I would
 prefer having that done by machine.
 
 What do you think?

I'd look at the diff

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: smartphones and managing openbsd servers

[Raimo Niskanen]

I have used ConnectBot occasionally on an Xperia Neo. The screen
is very small and ConnectBot works best in portrait mode making
the characters even smaller. But it works.

I just downloaded PaderSync SSH Trial and I think I will buy the
full version. It has a semi transparent keyboard with easy
access to Ctrl, Alt, etc keys (in contrast to ConnectBot)
and works in landscape mode giving larger characters.
So it feels a few notches more usable than ConnectBot
(after 5 minutes of using, on a small screen, without hardware
keyboard, ...). It also claims to do scp...

/ Raimo



On Mon, Feb 20, 2012 at 06:21:01PM -0600, Nick Templeton wrote:
 I use ConnectBot to SSH into servers on my Google/Samsung Nexus S 4G
 running CyanogenMod with the Hacker's Keyboard. It works great in a
 pinch, but I wouldn't want to spend all day using it to admin a
 server.
 
 -Nick
 
 On Sat, Feb 18, 2012 at 5:06 PM, Marcos Ariel Laufer
 mar...@ipversion4.com wrote:
  Hello list,
  This might not be OpenBSD specific, but maybe users can share their
  experiences with smartphones an managing OpenBSD servers.
  So far, my smartphone has been a very usefull tool to manage my OpenBSD
  servers. Currently i am using a Palm Treo 680 with some lousy ssh
  application to access my servers, it is usefull, but this is getting pretty
  ancient, doesn't have wifi for exaple, and i would like that feature on a
  smartphone. I also love the touch screen.
  What newer smartphones do you recommend for using also as a tool for
  managing OpenBSD servers (maybe windogs too) ? What experiences had you had
  with smartphones and OpenBSD managing?
 
  Best regards,
  Marcos

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: smartphones and managing openbsd servers

[Raimo Niskanen]

On Wed, Feb 22, 2012 at 10:09:51AM +0100, Raimo Niskanen wrote:
:
 
 I just downloaded PaderSync SSH Trial and I think I will buy the
:
 keyboard, ...). It also claims to do scp...

Sorry, sftp, not scp.

 
 / Raimo
:

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: How to deal with DDoS ?

[Stuart Henderson]

On 2012-02-22, Stuart Henderson s...@spacehopper.org wrote:
 On 2012-02-21, Hassan Monfared hmonfa...@gmail.com wrote:
 Hi,
 have you tried to set some tuning options in pf.conf  sysctl.conf ?
 eg:
 for sysctl.conf:
 net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length
 (256*number of physical interfaces)
 kern.bufcachepercent=90# Allow the kernel to use up to 90% of the
 RAM for cache (default 10%)
 net.inet.udp.recvspace=131072 # Increase based on your memory
 net.inet.udp.sendspace=131072 # Increase based on your memory
 ddb.panic=0# do not enter ddb console on kernel panic,
 reboot if possible , this reduces headache

 These have nothing to do with state overflow

 (except raising bufcachepercent will leave less space for states..)

it was pointed out offlist that this may be incorrect, the theory is
that it should shrink when you need the space; that said it won't help
anyway and if for some reason it doesn't shrink you'll have problems.

Re: How to deal with DDoS ?

[Stuart Henderson]

My followup mail was just about bufcachepercent. Auto-sizing socket
buffers is pointless on a firewall. Even if it were useful, if you are
running into resource starvation you want to *DECREASE* resource use
not increase it.

aggressive sets tcp.first to 30s. 2M SYNs per second * 30s = 60M states;
Roger said that 5M states is too much for the box.


On 2012/02/22 13:11, Hassan Monfared wrote:
 1- auto-sizing in obsd5.0 is for tcp not udp.
 2- I think setting option to aggressive will help.
 
 
 On 2/22/12, Stuart Henderson s...@spacehopper.org wrote:
  On 2012-02-22, Stuart Henderson s...@spacehopper.org wrote:
  On 2012-02-21, Hassan Monfared hmonfa...@gmail.com wrote:
  Hi,
  have you tried to set some tuning options in pf.conf  sysctl.conf ?
  eg:
  for sysctl.conf:
  net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length
  (256*number of physical interfaces)
  kern.bufcachepercent=90# Allow the kernel to use up to 90% of the
  RAM for cache (default 10%)
  net.inet.udp.recvspace=131072 # Increase based on your memory
  net.inet.udp.sendspace=131072 # Increase based on your memory
  ddb.panic=0# do not enter ddb console on kernel
  panic,
  reboot if possible , this reduces headache
 
  These have nothing to do with state overflow
 
  (except raising bufcachepercent will leave less space for states..)
 
  it was pointed out offlist that this may be incorrect, the theory is
  that it should shrink when you need the space; that said it won't help
  anyway and if for some reason it doesn't shrink you'll have problems.

Asus Eee PC R101 Netbook

[scire]

Does someone have experiens with OpenBSD and the above Laptop?
Does OpenBSD run there and support all devices (Wlan, Ethernet, etc)?

Thanks in advance for any hint!

Rodrigo

Re: smartphones and managing openbsd servers

[Anonymous Remailer (austria)]

 I just downloaded PaderSync SSH Trial and I think I will buy the
 full version.

I got it before it was a paid app whilst still in testing. It seems very
good and handles large keys well enough. The only objection I've got is the
menus and dialogs can be a bit wordy but it does seem to work fine.

 It has a semi transparent keyboard with easy
 access to Ctrl, Alt, etc keys (in contrast to ConnectBot)
 and works in landscape mode giving larger characters.

BlackBerrys have a physical keyboard so we've got to use the transparent
onscreen kb just for bits like control and alt keys (emacs is fun on a BB)

 keyboard, ...). It also claims to do scp...

yeah sftp telnet and maybe smb. an nfs client would be grand.

USB connection strangenes

[Jan Stary]

On this (almost) current/i386,
strange things sometimes happen
when plugging things into USB ports.

The machine has 10 USB ports:
8 in the back, 2 in the front.

At the back, 5 ports are occupied with:
keyboard, mouse, disk, disk, printer.

Now, *sometimes* when I plug a sixth thing into a back port
(say, another disk), the keyboard and mouse become unresponsive.
The disks that were there before continue to work OK.
The machine can be ssh'd remotely and everyting seems to run OK.
When I unplu-and-plug again the keyboard, it becomes responsive again.

It happened a few times in X.
It never happened on a tty.

When I plug anything into any of the front USB ports,
the machine reboots immediately.

Is there something to be suspicious of on the OpenBSD side,
or is this solely a hardware problem? Could it make a difference
what is plugged where (into which usbX on which uhubY)?

Jan


OpenBSD 5.1-beta (GENERIC.MP) #167: Sat Jan 21 00:49:25 MST 2012
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz (GenuineIntel 686-class) 
2.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,LAHF
real mem  = 2145837056 (2046MB)
avail mem = 2100617216 (2003MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/16/07, BIOS32 rev. 0 @ 0xfb3f0, SMBIOS 
rev. 2.4 @ 0xf0100 (40 entries)
bios0: vendor Award Software International, Inc. version F10 date 11/16/2007
bios0: Gigabyte Technology Co., Ltd. P35-DS3
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP HPET MCFG APIC SSDT SSDT
acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) 
HUB0(S5) UAR1(S1) USB0(S1) USB1(S1) USB2(S1) USB3(S1) US31(S1) USB4(S1) 
USB5(S1) USBE(S1) USE2(S1) AZAL(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 333MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz (GenuineIntel 686-class) 
2.67 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,LAHF
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PEX0)
acpiprt2 at acpi0: bus -1 (PEX1)
acpiprt3 at acpi0: bus -1 (PEX2)
acpiprt4 at acpi0: bus 3 (PEX3)
acpiprt5 at acpi0: bus 4 (PEX4)
acpiprt6 at acpi0: bus -1 (PEX5)
acpiprt7 at acpi0: bus 5 (HUB0)
acpicpu0 at acpi0: FVS, 2667, 2000 MHz
acpicpu1 at acpi0: FVS, 2667, 2000 MHz
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xce00 0xd/0x1e00! 0xd2000/0x3000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82G33 Host rev 0x02
ppb0 at pci0 dev 1 function 0 Intel 82G33 PCIE rev 0x02: apic 2 int 16
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 NVIDIA GeForce 8600 GT rev 0xa1
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: apic 2 int 16
uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: apic 2 int 21
uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: apic 2 int 18
ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: apic 2 int 18
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 Intel 82801I HD Audio rev 0x02: msi
azalia0: codecs: Realtek ALC885
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 2 int 16
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 3 Intel 82801I PCIE rev 0x02: apic 2 int 19
pci3 at ppb2 bus 3
jmb0 at pci3 dev 0 function 0 JMicron JMB363 IDE/SATA rev 0x02
ahci0 at jmb0: apic 2 int 19, AHCI 1.0
scsibus0 at ahci0: 32 targets
jmb1 at pci3 dev 0 function 1 JMicron JMB363 IDE/SATA rev 0x02
pciide0 at jmb1: DMA, channel 0 wired to native-PCI, channel 1 wired to 
native-PCI
pciide0: using apic 2 int 16 for native-PCI interrupt
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: HL-DT-ST, DVD-RAM GSA-H55L, 1.05 ATAPI 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
pciide0: channel 1 disabled (no drives)
ppb3 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: apic 2 int 16
pci4 at ppb3 bus 4
re0 at pci4 dev 0 function 0 Realtek 8168 rev 0x01: RTL8168 2 (0x3800), apic 
2 int 16, address 00:1d:7d:a9:a0:48
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
uhci3 at pci0 dev 29 function 0 Intel 

Re: How to deal with DDoS ?

[Mehma Sarja]

On 2/22/12 12:39 AM, Roger S. wrote:

On Tue, Feb 21, 2012 at 9:51 PM, Joachim Schipper
joac...@joachimschipper.nl  wrote:

Just the most obvious idea, since you mention that this sort-of-works if
you put block drop in quick from !whitelisted_users: does it handle
this load if you turn off pf, or only include one or two trivial rules?

Hi,

I don't know nothing about nothing but someone once said as I was 
struggling with a Snort and country block setup, why don't you put them 
on different machines? As I am sure you have thought about this, can 
you reduce the volume of attacks with a different machine so your pf 
machine can handle the rest?


Mehma

Ospfd : choose between 2 default routes

[Mathieu BLANC]

Hello !

I have an OSPF setup with 4 routers :

INTERNET
||
C1   C2
||
O1   O2
||
NE1  NE2

C1 and C2 are Cisco Routers, O1 and O2 OpenBSD.
OSPF is used between C1/C2/O1/O2
NE1 is the network managed by O1, NE2 the network managed by O2.

C1 and C2 distribute a default route to O1/O2 (same metric)

Is there a way, in ospfd, to say to O1 : C1 is your prefered default
route and to O2 : C2 is your prefered default route ?

The link between O1---C2 (and O2---C1) is a very slow line and should be
used just as backup.

If i use different metric on C1/C2, i think O1 and O2 will use the same
router (and by the way one of them will use the slow link). Maybe i have
missed something ?

Thank you in advance !

-- 
Mathieu

Re: Ospfd : choose between 2 default routes

[Claudio Jeker]

On Wed, Feb 22, 2012 at 05:05:28PM +0100, Mathieu BLANC wrote:
 Hello !
 
 I have an OSPF setup with 4 routers :
 
 INTERNET
 ||
 C1   C2
 ||
 O1   O2
 ||
 NE1  NE2
 
 C1 and C2 are Cisco Routers, O1 and O2 OpenBSD.
 OSPF is used between C1/C2/O1/O2
 NE1 is the network managed by O1, NE2 the network managed by O2.
 
 C1 and C2 distribute a default route to O1/O2 (same metric)
 
 Is there a way, in ospfd, to say to O1 : C1 is your prefered default
 route and to O2 : C2 is your prefered default route ?
 
 The link between O1---C2 (and O2---C1) is a very slow line and should be
 used just as backup.
 
 If i use different metric on C1/C2, i think O1 and O2 will use the same
 router (and by the way one of them will use the slow link). Maybe i have
 missed something ?
 

If C1, C2, O1 and O2 share the same L2 network then you're out of luck. For
OSPF a L2 network has no metric -- only the uplinks into the L2 network
have a metric but that does not matter in your case.

There are some more or less evil ways to workaround this. IMO the cleanest
would be to make sure that the slow link between the systems shows up as
different network (e.g. by using VLANs). Then it is possible to introduce
higher metrics for this link.

-- 
:wq Claudio

test

[test]

test

Re: smartphones and managing openbsd servers

[Kevin Chadwick]

On Wed, 22 Feb 2012 10:23:33 +0100
Raimo Niskanen wrote:

 Sorry, sftp,

When I looked, I couldn't find an open source sftp for Android but
andftp works well.

I'm very careful with what I let the almost constantly full of exploits
phone have access to (a network being as strong as it's weakest link).

For routine daily changes to a web pages price whilst out, I use a
dedicated empty chroot that the server then picks up files from,
checking them before use.

-- 
Kc

Re: smartphones and managing openbsd servers

[Chris Cappuccio]

Kevin Chadwick [ma1l1i...@yahoo.co.uk] wrote:
 
 I'm very careful with what I let the almost constantly full of exploits
 phone have access to (a network being as strong as it's weakest link).
 

There were rumors in the last 20 years of firmware being loaded on phones to 
provide an anonymous, remote tap point for and by various sophisticated 
individuals. Now Google brings it to everyone, no sophistication required :)

IPSEC Site-to-Site not routing packages

[Morten Christensen]

Dear fellow OpenBSD friends.

I'm setting up 2 FW's that should form a VPN tunnel securing the net behind 
each FW - simple

NET x - FW x - WAN - FW y - NET y

I'm using ipsec.conf / ipsecctl. OpenBSD 5, pf is disabled.

On FW x
# cat /etc/ipsec.conf   



ike esp from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 psk 
lotsofFishs4meAndyou

netstat -rn
Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
10.20/16   0 10.21.35/240 0 212.37.141.59/esp/use/in
10.21.35/240 10.20/16   0 0 
212.37.141.59/esp/require/out

# ipsecctl -sa  



FLOWS:
flow esp in from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.59 srcid 
212.37.141.60/32 dstid 212.37.141.59/32 type use
flow esp out from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 srcid 
212.37.141.60/32 dstid 212.37.141.59/32 type require

SAD:
esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth 
hmac-sha2-256 enc aes
esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth 
hmac-sha2-256 enc aes



On FW y
# cat /etc/ipsec.conf   
 
ike esp from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 psk 
lotsofFishs4meAndyou

netstat -rn
Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
10.21.35/240 10.20/16   0 0 212.37.141.60/esp/use/in
10.20/16   0 10.21.35/240 0 
212.37.141.60/esp/require/out

# ipsecctl -sa 
FLOWS:
flow esp in from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.60 srcid 
212.37.141.59/32 dstid 212.37.141.60/32 type use
flow esp out from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 srcid 
212.37.141.59/32 dstid 212.37.141.60/32 type require

SAD:
esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth 
hmac-sha2-256 enc aes
esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth 
hmac-sha2-256 enc aes

Offcourse on both machines
net.inet.ip.forwarding=1

Pinging from a host on NET x
Request timeout for icmp_seq 1402
36 bytes from 10.21.35.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
 4  5  00 5400 736e   0   40  01 cfa4 10.21.35.100  10.20.0.10

The gateway clearly answers that it can't route the packet!?

Pinging directly from FWx to FWy WORKS !!! ???

# ping -I 10.21.35.1 10.20.0.1
PING 10.20.0.1 (10.20.0.1): 56 data bytes
64 bytes from 10.20.0.1: icmp_seq=0 ttl=255 time=1.185 ms
64 bytes from 10.20.0.1: icmp_seq=1 ttl=255 time=0.829 ms
Dump while ping
# tcpdump -i enc0 -n
tcpdump: listening on enc0, link-type ENC
13:52:24.297384 (authentic,confidential): SPI 0xc5853584: 10.21.35.1  
10.20.0.1: icmp: echo request (encap)
13:52:24.297508 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1  
10.21.35.1: icmp: echo reply (encap)
13:52:25.299664 (authentic,confidential): SPI 0xc5853584: 10.21.35.1  
10.20.0.1: icmp: echo request (encap)
13:52:25.299760 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1  
10.21.35.1: icmp: echo reply (encap)


Routing is the problem ? what is the cause ? It looks like each FW doesn't 
permit routing packets from LAN hosts. 

Thanks for you help 

Regards

Morten Bech Christensen