For the record:
The problem was not with with the single interface, but with my
misreading the documentation. The error was in specifying the tunnel
twice. The working ipsec directives are of course:
ipsec.conf on A:
ike esp from to peer
srcid dstid
ipsec.conf on B:
ike passive esp tunnel from any to srcid
Markus Wernig wrote:
Hi all
I'v looked through what documentation I could find, but didn't find this
case mentioned, so I assumed it would work (which it doesn't):
I have an OBSD 4.1 vpn gateway (A) with only one interface, over which
the default route points out and over which the packets to forward
through the tunnel arrive. The other gateway is a "regular" 2-interface
OBSD 4.1 gateway (B).
Here's the layout:
Internal Net -- -- VPN gateway A
&
Internet
&
&
VPN gateway B
&
Destination Net
The tunnel seemingly does get created without any errors, but when
packets pass through the tunnel, the remote gateway sends them right
back. Also, on both gateways, 4 flows and 4 SADs get created, instead of
2 each, as I'd expect:
# ipsecctl -s all
FLOWS:
flow esp in from to peer B> srcid dstid type use
flow esp out from to peer B> srcid dstid type require
flow esp in from to peer B> srcid dstid type use
flow esp out from to peer B> srcid dstid type require
SAD:
esp tunnel from to spi 0xADEADBEEF auth
hmac-sha2-256 enc aes
esp tunnel from to spi 0xBDEADBEEF auth
hmac-sha2-256 enc aes
esp tunnel from to spi 0xCDEADBEEF auth
hmac-sha2-256 enc aes
esp tunnel from to spi 0xDDEADBEEF auth
hmac-sha2-256 enc aes
Thus, contradicting routes get added to the kernel routing tables:
gateway B:
Encap:
Source Port DestinationPort Proto
SA(Address/Proto/Type/Direction)
0 0 0 NAT
router A/esp/use/in
0 0 0 NAT
router A/esp/require/out
0 0 0 NAT
router A/esp/use/in
0 0 0 NAT
router A/esp/require/out
ipsec.conf on A:
ike esp from to peer
srcid
ike esp from to peer
srcid
ipsec.conf on B:
ike passive esp tunnel from any to srcid
ike passive esp tunnel from to any srcid
A tcpdump on enc0 of both gateways shows the packets looping between the
two gateways until ttl == 1.
Can anybody tell me if this is supposed to work at all? Does anyone see
an obvious flaw? I'm really lost at why the gateways add flows and
routes in both directions...
thx /markus