For the record:
The problem was not with with the single interface, but with my
misreading the documentation. The error was in specifying the tunnel
twice. The working ipsec directives are of course:
ipsec.conf on A:
ike esp from Internal Net to Destination Net peer VPN Gateway B
srcid fqdn A dstid fqdn B
ipsec.conf on B:
ike passive esp tunnel from any to Destination Net srcid fqdn B
Markus Wernig wrote:
Hi all
I'v looked through what documentation I could find, but didn't find this
case mentioned, so I assumed it would work (which it doesn't):
I have an OBSD 4.1 vpn gateway (A) with only one interface, over which
the default route points out and over which the packets to forward
through the tunnel arrive. The other gateway is a regular 2-interface
OBSD 4.1 gateway (B).
Here's the layout:
Internal Net -- NAT router A -- VPN gateway A
Internet
NAT router B
VPN gateway B
Destination Net
The tunnel seemingly does get created without any errors, but when
packets pass through the tunnel, the remote gateway sends them right
back. Also, on both gateways, 4 flows and 4 SADs get created, instead of
2 each, as I'd expect:
# ipsecctl -s all
FLOWS:
flow esp in from Internal Net to Destination Net peer VPN Gateway
B srcid fqdn A dstid fqdn B type use
flow esp out from Destination Net to Internal Net peer VPN Gateway
B srcid fqdn A dstid fqdn B type require
flow esp in from Destination Net to Internal Net peer VPN Gateway
B srcid fqdn A dstid fqdn B type use
flow esp out from Internal Net to Destination Net peer VPN Gateway
B srcid fqdn A dstid fqdn B type require
SAD:
esp tunnel from VPN Gateway B to VPN Gateway A spi 0xADEADBEEF auth
hmac-sha2-256 enc aes
esp tunnel from VPN Gateway B to VPN Gateway A spi 0xBDEADBEEF auth
hmac-sha2-256 enc aes
esp tunnel from VPN Gateway A to VPN Gateway B spi 0xCDEADBEEF auth
hmac-sha2-256 enc aes
esp tunnel from VPN Gateway A to VPN Gateway B spi 0xDDEADBEEF auth
hmac-sha2-256 enc aes
Thus, contradicting routes get added to the kernel routing tables:
gateway B:
Encap:
Source Port DestinationPort Proto
SA(Address/Proto/Type/Direction)
Internal Net0 Destination Host 0 0 NAT
router A/esp/use/in
Destination Host 0 Internal Net0 0 NAT
router A/esp/require/out
Destination Host 0 Internal Net0 0 NAT
router A/esp/use/in
Internal Net0 Destination Host 0 0 NAT
router A/esp/require/out
ipsec.conf on A:
ike esp from Internal Net to Destination Net peer VPN Gateway B
srcid fqdn A
ike esp from Destination Net to Internal Net peer VPN Gateway B
srcid fqdn A
ipsec.conf on B:
ike passive esp tunnel from any to Destination Net srcid fqdn B
ike passive esp tunnel from Destination Net to any srcid fqdn B
A tcpdump on enc0 of both gateways shows the packets looping between the
two gateways until ttl == 1.
Can anybody tell me if this is supposed to work at all? Does anyone see
an obvious flaw? I'm really lost at why the gateways add flows and
routes in both directions...
thx /markus