routing to IPsec VPN with dummy lo1 broken

Tue, 02 Jul 2013 01:34:13 -0700 

Hi,

My IPsec roadwarrior setup on my laptop broke with one of the latest
snapshots because some outgoing connections are routed wrongly with a
source ip of 127.0.0.1.

On the roadwarrior laptop I use a dummy lo1 interface to which I assign
the internal VPN IP of the laptop.
wlan has the 172.26.153.40/28 subnet, VPN has the 172.26.153.49/28
subnet:

iwn0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
        lladdr 00:21:6b:a3:70:7a
        priority: 4
        groups: wlan
        status: active
        inet 172.26.153.40 netmask 0xfffffff0 broadcast 172.26.153.47
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
lo1: flags=8149<UP,LOOPBACK,RUNNING,PROMISC,MULTICAST> mtu 33144
        priority: 0
        groups: lo egress
        inet 172.26.153.49 netmask 0xfffffff0
        inet6 fe80::1%lo1 prefixlen 64 scopeid 0x5
        inet6 2001:4dd0:fbdf:8::49 prefixlen 48

Routing tables

default route goes to the VPN. Because the IPsec flow matches on
source ip, all VPN packets are routed via lo1 to assign the right
source ip:

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            172.26.153.49      US         1       62 33144     9 lo1
127/8              127.0.0.1          UGRS       0        0 33144     8 lo0
127.0.0.1          127.0.0.1          UH         2       36 33144     4 lo0
172.26.153.32/28   link#2             UC         1        0     -     4 iwn0
172.26.153.33      00:1b:b1:f2:f4:6d  UHLc       1        0     -     4 iwn0
172.26.153.40      127.0.0.1          UGS        0        0 33144     8 lo0
172.26.153.49      172.26.153.49      UH         0      120 33144     4 lo1
217.190.94.19      172.26.153.33      UGHS       2      215     -    12 iwn0
224/4              127.0.0.1          URS        0        0 33144     8 lo0

And route get seems to do the right thing:

$ route get 172.26.153.1
   route to: alix
destination: default
       mask: default
  interface: lo1
 if address: mortimer-ipsec (= 172.26.153.49)
   priority: 9 ()
      flags: <UP,DONE,STATIC>
     use       mtu    expire
      68     33144         0

In the following tests I run two tcpdumps in the background:

tcpdump: listening on pflog0, link-type PFLOG
tcpdump: listening on enc0, link-type ENC

ICMP echo requests get assigned the correct source ip and are
redirected to IPsec:

$ ping -c1 172.26.153.1
PING 172.26.153.1 (172.26.153.1): 56 data bytes
64 bytes from 172.26.153.1: icmp_seq=0 ttl=255 time=2.635 ms
--- 172.26.153.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.635/2.635/2.635/0.000 ms

(authentic,confidential): SPI 0x754c6616: 172.26.153.49 > 172.26.153.1: icmp:
echo request (encap)
(authentic,confidential): SPI 0x9464175d: 172.26.153.1 > 172.26.153.49: icmp:
echo reply (encap)

But udp/tcp packets get assigned the localhost(!) address and are
blocked by pf, because I disallow any traffic on lo1:

$ nc -u 172.26.153.1 53 </dev/zero

rule 3/(match) block out on lo1: 127.0.0.1.3621 > 172.26.153.1.53: 0 [0q]
(2048)

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply via email to