Re: isakmpd gateway-to-gateway VPN woes...
Hello Jack, Thursday, March 22, 2007, 6:49:14 PM, you wrote: JB> ... having some trouble getting a LAN-to-LAN VPN working ... JB>10.0.0.2/24 --- 10.0.0.1/24 JB> L1 F1 F2 L2 JB> 10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1 JB> L1,L2 - laptops JB> F1,F2 - Soekris net4801 firewalls JB> What works: JB> L1-F1 lan communication JB> L2-F2 lan communication JB> F1-F2 lan communication JB> F1-F2 IPSec communication (evidenced by F1 running "ping 10.0.0.1" and JB> seeing only esp packets in tcpdump) JB> What doesn't work: JB> F1-L2 gateway'd VPN JB> F2-L1 gateway'd VPN JB> L1-L2 gateway-to-gateway'd VPN Sorry if I miss something, but I don't see you trying to test Network-to-Network VPN you are talking about. Does it work from an internal computer in one network to an internal computer in another? Gateway-to-Gateway doesn't (and shouldn't, I think) work "out of the box" with the Network-to-Network VPN. Adding manual routs helped me to solve it. Something like "route add 10.2.12.0/22 10.4.14.1" on the F1 and "route add 10.4.12.0/22 10.2.14.1" on the F2. Your numbers a bit confusing, but it's a "route add ". -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: isakmpd gateway-to-gateway VPN woes...
Do your firewalls forward ip 4? sysctl net.inet.ip.forwarding=1 Jack Bates wrote: If you can help, please feel free to CC: me directly: [EMAIL PROTECTED] My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN working with OpenBSD-4.0-stable isakmpd. Both firewalls have a relatively unaltered install. Both firewalls still have pf, ipsec and isakmpd_flags "unset" in rc.conf (we are configuring and starting manually - is this a problem?). We have followed the directions from the "Zero to IPSec on 4 minutes" webpage. I hope that this error report is thorough. Here is a picture of the configuration: 10.0.0.2/24 --- 10.0.0.1/24 L1 F1 F2 L2 10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1 L1,L2 - laptops F1,F2 - Soekris net4801 firewalls What works: L1-F1 lan communication L2-F2 lan communication F1-F2 lan communication F1-F2 IPSec communication (evidenced by F1 running "ping 10.0.0.1" and seeing only esp packets in tcpdump) What doesn't work: F1-L2 gateway'd VPN F2-L1 gateway'd VPN L1-L2 gateway-to-gateway'd VPN What is interesting is that the routing tables have a section named "Encap:" that seem to contain valid routes for the flows that do not work above, but when attempting to use "ping" on addresses on a broken flow we get "No route to host". This has got to be something simple. Thanks in advance for your help. Here are the pf.conf files from both firewalls: ### F1: pf.conf ### # jack ext_if="sis0" int_if="sis1" set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) -> ($ext_if:0) block in pass quick on $ext_if from 10.0.0.1 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ### F2: pf.conf ### # sabino ext_if="sis0" int_if="sis1" set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) -> ($ext_if:0) block in pass quick on $ext_if from 10.0.0.2 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ## F1: ipsec.conf ## # jack to sabino sabino_ext = "10.0.0.1" sabino_int = "10.2.12.0/22" jack_ext = "10.0.0.2" jack_int = "10.4.12.0/22" ike esp from $jack_int to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_ext ## F2: ipsec.conf ## # sabino to jack sabino_ext="10.0.0.1" sabino_int="10.2.12.0/22" jack_ext="10.0.0.2" jack_int="10.4.12.0/22" ike passive esp from $sabino_int to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_ext ### F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 164953.991350 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1 164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 165058.199701 Default isakmpd: shutting down... 165058.219397 Default isakmpd: exit ### F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 171251.878157 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2 171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171356.739110 Default isakmpd: shutting down... 171356.741411 Default isakmpd: exit ## F1: routing table after isakmpd negotiates tunnels ## # ipsecctl -f /etc/ipsec.conf # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface 10.0.0/24 link#1 UC 10 - sis0 10.0.0.1 00:00:24:c8:1d:60 UHLc2 125 - sis0 10.4.12/22 link#2 UC 10 - sis1 10.4.14.1 00:e0:00:c2:6e:2c UHLc4 644 - sis1 10.4.16/22 link#3 UC 00 - sis2 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 14 33224 lo0 224/4 127.0.0.1 URS 00 33224 lo0 Internet6: ...abbreviated - irrelevant... Encap: Source Port Destinati
isakmpd gateway-to-gateway VPN woes...
If you can help, please feel free to CC: me directly: [EMAIL PROTECTED] My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN working with OpenBSD-4.0-stable isakmpd. Both firewalls have a relatively unaltered install. Both firewalls still have pf, ipsec and isakmpd_flags "unset" in rc.conf (we are configuring and starting manually - is this a problem?). We have followed the directions from the "Zero to IPSec on 4 minutes" webpage. I hope that this error report is thorough. Here is a picture of the configuration: 10.0.0.2/24 --- 10.0.0.1/24 L1 F1 F2 L2 10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1 L1,L2 - laptops F1,F2 - Soekris net4801 firewalls What works: L1-F1 lan communication L2-F2 lan communication F1-F2 lan communication F1-F2 IPSec communication (evidenced by F1 running "ping 10.0.0.1" and seeing only esp packets in tcpdump) What doesn't work: F1-L2 gateway'd VPN F2-L1 gateway'd VPN L1-L2 gateway-to-gateway'd VPN What is interesting is that the routing tables have a section named "Encap:" that seem to contain valid routes for the flows that do not work above, but when attempting to use "ping" on addresses on a broken flow we get "No route to host". This has got to be something simple. Thanks in advance for your help. Here are the pf.conf files from both firewalls: ### F1: pf.conf ### # jack ext_if="sis0" int_if="sis1" set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) -> ($ext_if:0) block in pass quick on $ext_if from 10.0.0.1 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ### F2: pf.conf ### # sabino ext_if="sis0" int_if="sis1" set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) -> ($ext_if:0) block in pass quick on $ext_if from 10.0.0.2 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ## F1: ipsec.conf ## # jack to sabino sabino_ext = "10.0.0.1" sabino_int = "10.2.12.0/22" jack_ext = "10.0.0.2" jack_int = "10.4.12.0/22" ike esp from $jack_int to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_ext ## F2: ipsec.conf ## # sabino to jack sabino_ext="10.0.0.1" sabino_int="10.2.12.0/22" jack_ext="10.0.0.2" jack_int="10.4.12.0/22" ike passive esp from $sabino_int to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_ext ### F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 164953.991350 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1 164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 165058.199701 Default isakmpd: shutting down... 165058.219397 Default isakmpd: exit ### F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 171251.878157 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2 171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171356.739110 Default isakmpd: shutting down... 171356.741411 Default isakmpd: exit ## F1: routing table after isakmpd negotiates tunnels ## # ipsecctl -f /etc/ipsec.conf # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface 10.0.0/24 link#1 UC 10 - sis0 10.0.0.1 00:00:24:c8:1d:60 UHLc2 125 - sis0 10.4.12/22 link#2 UC 10 - sis1 10.4.14.1 00:e0:00:c2:6e:2c UHLc4 644 - sis1 10.4.16/22 link#3 UC 00 - sis2 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 14 33224 lo0 224/4 127.0.0.1 URS 00 33224 lo0 Internet6: ...abbreviated - irrelevant... Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.0.0.1/320 10.0.0.2