(no subject)

Wed, 19 Aug 2015 09:55:11 -0700 

Hello

I use OpenBSD version 5.7.
I noticed a problem with the routing of the IPsec.
I'm trying to redirect all traffic from a private subnet (192.168.127.0/24) to another host. 

<192.168.127.0/24> <Host A> <- IPsec -> <Host B> <---> <Internet>

Details below:

On host A:

# ipsecctl -s a
FLOWS:
flow esp in from 0.0.0.0/0 to 192.168.127.0/24 peer b.b.b.b type require
flow esp out from 192.168.127.0/24 to 0.0.0.0/0 peer b.b.b.b type require

SAD:

esp tunnel from a.a.a.a to b.b.b.b spi 0x000003e8 auth hmac-sha2-256 enc 
aes-256
esp tunnel from b.b.b.b to a.a.a.a spi 0x000003e9 auth hmac-sha2-256 enc 
aes-256

#

And interfaces:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        priority: 0
        groups: lo
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:22:4d:ac:88:b6
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.127.1 netmask 0xffffff00 broadcast 192.168.127.255
        inet6 fe80::222:4dff:feac:88b6%em0 prefixlen 64 scopeid 0x1

-----------------------------------


I am trying to ping a host directly connected to the host A, but all 
packets are going in IPsec channel (interface enc0). I think packets 
should go to interface rl0.


-----------------------------------


$ ping 192.168.127.44
PING 192.168.127.44 (192.168.127.44): 56 data bytes
--- 192.168.127.44 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss


# tcpdump -ni enc0
tcpdump: listening on enc0, link-type ENC

21:58:27.268213 (authentic,confidential): SPI 0x000003e8: 192.168.127.1 
> 192.168.127.44: icmp: echo request (encap)
21:58:28.272609 (authentic,confidential): SPI 0x000003e8: 192.168.127.1 
> 192.168.127.44: icmp: echo request (encap)
21:58:29.282629 (authentic,confidential): SPI 0x000003e8: 192.168.127.1 
> 192.168.127.44: icmp: echo request (encap)
21:58:30.292668 (authentic,confidential): SPI 0x000003e8: 192.168.127.1 
> 192.168.127.44: icmp: echo request (encap)





And another problem/question:

In previous versions of OpenBSD the command netstat -rn showed routes 
associated with IPsec. In version 5.7, this information was gone. Is 
there any other way to see the routes associated with IPsec?


Best Regards

Witold Cichon























					Reply via email to