IPSec stopped working accidently

lilit-aibolit Mon, 18 Aug 2014 02:48:03 -0700

Hi list.
I have two gateways which were working fine two years.

And suddenly I couldn't reach remote network behind both gateways fromother sides.

Nothing changed in configs.
Both gateways seems to works as expected except VPN.
Both gateways have identical setup like this.
How to debug and where can be trouble?
# ifconfig
em0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
        lladdr 00:18:7d:0e:f5:34
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 192.168.5.254 netmask 0xffffff00 broadcast 192.168.5.255
em1: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
        lladdr 00:18:7d:0e:f5:33
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 194.106.218.98 netmask 0xfffffffc broadcast 194.106.218.99
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
vlan0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
        lladdr 00:18:7d:0e:f5:34
        priority: 0
        vlan: 2 parent interface: em0
        groups: vlan
        status: active
        inet 192.168.223.1 netmask 0xffffff00 broadcast 192.168.223.255
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        priority: 0
        groups: tun
        status: active
        inet 192.168.99.1 --> 192.168.99.2 netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog


# cat /etc/ipsec.conf
#       $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#
# See ipsec.conf(5) for syntax and examples.

tlv = "{ 192.168.2.0/24, 192.168.88.0/24 }"
tlk = "{ 192.168.5.0/24, 192.168.99.0/24, 192.168.66.0/24 }"
flow esp from $tlk to $tlv peer 92.246.22.143
#flow esp from 194.106.218.98 to 192.168.2.0/24 peer 92.246.22.143
esp from 194.106.218.98 to 92.246.22.143 spi 0xdeadbeef:0xbeefdead \
auth hmac-sha2-512 enc blowfish \
authkey file "/root/akey.local:/root/akey.remote" \
enckey file "/root/ekey:/root/ekey"

# ls -la /root/akey*
-rw-------  1 root  wheel  128 Jul  2  2012 /root/akey.local
-rw-------  1 root  wheel  128 Jul  2  2012 /root/akey.remote

# ls -la /root/ekey
-rw-------  1 root  wheel  40 Jul  2  2012 /root/ekey

# cat /etc/pf.conf | grep esp
pass in on $ext_if proto esp from <tlv_gw> to em1
pass out on $ext_if proto esp from em1 to <tlv_gw>

# ipsecctl -sa
FLOWS:

flow esp in from 192.168.88.0/24 to 192.168.66.0/24 peer 92.246.22.143type requireflow esp out from 192.168.66.0/24 to 192.168.88.0/24 peer 92.246.22.143type requireflow esp in from 192.168.2.0/24 to 192.168.66.0/24 peer 92.246.22.143type requireflow esp out from 192.168.66.0/24 to 192.168.2.0/24 peer 92.246.22.143type requireflow esp in from 192.168.88.0/24 to 192.168.99.0/24 peer 92.246.22.143type requireflow esp out from 192.168.99.0/24 to 192.168.88.0/24 peer 92.246.22.143type requireflow esp in from 192.168.2.0/24 to 192.168.99.0/24 peer 92.246.22.143type requireflow esp out from 192.168.99.0/24 to 192.168.2.0/24 peer 92.246.22.143type requireflow esp in from 192.168.88.0/24 to 192.168.5.0/24 peer 92.246.22.143type requireflow esp out from 192.168.5.0/24 to 192.168.88.0/24 peer 92.246.22.143type requireflow esp in from 192.168.2.0/24 to 192.168.5.0/24 peer 92.246.22.143type requireflow esp out from 192.168.5.0/24 to 192.168.2.0/24 peer 92.246.22.143type require


SAD:

esp tunnel from 92.246.22.143 to 194.106.218.98 spi 0xbeefdead authhmac-sha2-512 enc blowfishesp tunnel from 194.106.218.98 to 92.246.22.143 spi 0xdeadbeef authhmac-sha2-512 enc blowfish


# netstat -rnf encap
Routing tables

Encap:

Source Port Destination Port ProtoSA(Address/Proto/Type/Direction)192.168.88/24 0 192.168.66/24 0 092.246.22.143/esp/require/in192.168.66/24 0 192.168.88/24 0 092.246.22.143/esp/require/out192.168.2/24 0 192.168.66/24 0 092.246.22.143/esp/require/in192.168.66/24 0 192.168.2/24 0 092.246.22.143/esp/require/out192.168.88/24 0 192.168.99/24 0 092.246.22.143/esp/require/in192.168.99/24 0 192.168.88/24 0 092.246.22.143/esp/require/out192.168.2/24 0 192.168.99/24 0 092.246.22.143/esp/require/in192.168.99/24 0 192.168.2/24 0 092.246.22.143/esp/require/out192.168.88/24 0 192.168.5/24 0 092.246.22.143/esp/require/in192.168.5/24 0 192.168.88/24 0 092.246.22.143/esp/require/out192.168.2/24 0 192.168.5/24 0 092.246.22.143/esp/require/in192.168.5/24 0 192.168.2/24 0 092.246.22.143/esp/require/out


# cat /etc/sysctl.conf | grep -v "^#"

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4packets

net.inet.esp.enable=1           # 0=Disable the ESP IPsec protocol
net.inet.ah.enable=1            # 0=Disable the AH IPsec protocol
net.inet.gre.allow=1
net.pipex.enable=1
ddb.panic=0                     # 0=Do not drop into ddb on a kernel panic
machdep.allowaperture=2         # See xf86(4)
                                # required by some ports
kern.maxfiles=66328

IPSec stopped working accidently

Reply via email to