Hello! I've setup a tunnel between OpenBSD 5.6 using iked and an openwrt router running strongswan. The tunnel works great with ping and other traffic but traffic between the two external ip's dies.
This is a site-to-site connection and nothing fancy. iked.conf on OpenBSD. ikev2 esp from $10.11.12.0/24 to $194.168.4.0/24 peer $tcgw srcid sippan.se # ipsecctl -sa FLOWS: flow esp in from 192.168.4.0/24 to 10.11.12.0/24 peer 82.17.12.21 srcid FQDN/sippan.se dstid FQDN/sswan.sippan.se type use flow esp out from 10.11.12.0/24 to 192.168.4.0/24 peer 82.17.12.21 srcid FQDN/sippan.se dstid FQDN/sswan.sippan.se type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 82.17.12.21 to 130.51.23.4 spi 0x67483925 auth hmac-sha1 enc aes esp tunnel from 130.51.23.4 to 82.17.12.21 spi 0xcf1f39d1 auth hmac-sha1 enc aes # netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 130.51.23.4 UGS 10 30430256 - 8 em0 10/8 link#5 UC 1 0 - 4 vether0 10.11.12.13 fe:e1:ba:d0:d6:1c UHLl 0 1 - 1 lo0 10.255.255.255 link#5 UHLc 3 570 - 4 vether0 82.17.12.21 130.51.23.4 UGHD 0 30430251 - L 56 em0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UH 1 6 32768 4 lo0 194.48.213.128/27 link#1 UC 1 0 - 4 em0 130.51.23.4 00:00:cd:19:95:16 UHLc 2 0 - 4 em0 130.51.23.4 00:02:b3:aa:cc:c3 HLl 0 0 - 1 lo0 224/4 127.0.0.1 URS 0 0 32768 8 lo0 Internet6: -removed, dont use it- Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.4/24 0 10.11.12/24 0 0 82.17.12.21/esp/use/in 10.11.12/24 0 192.168.4/24 0 0 82.17.12.21/esp/require/out default 0 default 0 0 none/esp/deny/out # tcpdump on openbsd while trying to connect with ssh to the external ip of the OpenBSD host from the exernal ip of the other end. # tcpdump host 82.17.12.21 tcpdump: listening on em0, link-type EN10MB tcpdump: WARNING: compensating for unaligned libpcap packets 16:49:55.539903 egget.priv.lamest.se.54158 > loller.sippan.se.ssh: S 2729317717:2729317717(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) 16:49:55.539932 loller.sippan.se.ssh > egget.priv.lamest.se.54158: S 2317435827:2317435827(0) ack 2729317718 win 16384 <mss 1240,nop,nop,sackOK,nop,wscale 3> 16:49:55.545936 egget.priv.lamest.se.54158 > loller.sippan.se.ssh: . ack 1 win 256 (DF) 16:49:55.553927 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1 seq 190 len 100 16:50:01.553883 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1 seq 191 len 100 16:50:05.977468 esp egget.priv.lamest.se > loller.sippan.se spi 0x67483925 seq 127 len 84 (DF) 16:50:05.977519 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1 seq 192 len 84 # tcpdump on enc0 while trying ssh and https tcpdump: listening on enc0, link-type ENC tcpdump: WARNING: compensating for unaligned libpcap packets 17:01:01.578622 (authentic,confidential): SPI 0xc31749f4: loller.sippan.se.ssh > egget.priv.lamest.se.54158: R 2317435850:2317435850(0) ack 2729317718 win 0 (encap) 17:01:05.786123 (authentic,confidential): SPI 0xc31749f4: loller.sippan.se.ssh > egget.priv.lamest.se.54792: P 3813334764:3813334785(21) ack 2711749548 win 2170 (encap) 17:01:05.968654 (authentic,confidential): SPI 0xc31749f4: loller.sippan.se.https > egget.priv.lamest.se.54793: P 3540908942:3540909100(158) ack 1840586787 win 2170 (encap) 17:01:06.265543 (authentic,confidential): SPI 0xc31749f4: loller.sippan.se.https > egget.priv.lamest.se.54793: . ack 1 win 2170 (encap) 17:01:06.876165 (authentic,confidential): SPI 0xc31749f4: loller.sippan.se.https > egget.priv.lamest.se.54793: . ack 1 win 2170 (encap) 17:01:08.095189 (authentic,confidential): SPI 0xc31749f4: loller.sippan.se.https > egget.priv.lamest.se.54793: . ack 1 win 2170 (encap) 17:01:10.459116 (authentic,confidential): SPI 0xc31749f4: loller.sippan.se.https > egget.priv.lamest.se.54793: . ack 1 win 2170 (encap) So it appears that OpenBSD tries to send back traffic with ESP when it shouldn't. I'd also like to add that the exact same setup works with with isakmpd. Best regards Martin
