Hello nice people! Hello there from the Spanish neural control network!
I'm setting up a roadwarrior type ikev2 secure connection from .es to .uk.
All go fine but my head that is full of voice to skull. But I'm a unix
lover so I go up with my personal, but not only, battle.
So I've done some configuration and here you are:
1) RESPONDER:
root@ganesha:/etc# cat hostname.enc0
inet 172.16.44.1/32
up
root@ganesha:/etc# cat iked.conf
set fragmentation
ikev2 'vpnc' passive esp \
from 0.0.0.0/0 to 172.16.44.2 \
from 0.0.0.0/0 to 10.1.11.0/24 \
from 0.0.0.0/0 to 10.2.22.0/24 \
from 0.0.0.0/0 to 10.3.30.0/24 \
from 0.0.0.0/0 to 10.3.33.0/24 \
local 78.141.201.0 \
srcid vpnc.telecomlobby.com.fqdn dstid cat-01.telecomlobby.com.fqdn \
tag "$name-$id"
root@ganesha:/etc# cat pf.conf
#PACKET NORMALIZE
match out on enc scrub (max-mss 1360, no-df)
#NAT
pass out on egress from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } nat-to (egress)
root@ganesha:/etc#
Next is the client another little OpenBSD guy with a Raspberry Pi3 with
VLAN+PPPOE+IPSEC:
root@smigol:/etc# cat pf.conf
match out on enc scrub (max-mss 1360 , no-df)
match out on pppoe scrub (max-mss 1440 , no-df)
root@smigol:/etc# cat iked.conf
ikev2 'cat-01' active esp \
from 172.16.44.2 to 0.0.0.0/0 \
from 10.3.30.0/24 to 0.0.0.0/0 \
from 10.1.11.10/24 to 0.0.0.0/0 \
from 10.2.22.0/24 to 0.0.0.0/0 \
from 10.3.33.0/24 to 0.0.0.0/0 \
peer 78.141.201.0 \
srcid cat-01.telecomlobby.com.fqdn dstid vpnc.telecomlobby.com.fqdn\
tag "$name-$id"
root@smigol:/etc# cat ipsec.conf
flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass
flow esp in from {10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24}
to {10.1.11.31/32 , 10.2.22.31/32 , 10.3.30.31/32 , 10.3.33.31/32 ,
172.16.44.2/32 , 192.168.144.1/32} type bypass
flow esp out from {10.1.11.31/32 , 10.2.22.31/32 , 10.3.30.31/32 ,
10.3.33.31/32 , 172.16.44.2/32 , 192.168.144.1/32} to {10.1.11.0/24 ,
10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} type bypass
flow from {10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} to {
10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} type bypass
root@smigol:/etc# cat hostname.enc0
inet 172.16.44.2/32
up
If i sniff traffic over enc0 interface I found a strange error about ip
chksum:
(DF) (ttl 63, id 43164, len 52) (DF) (ttl 64, id 18753, len 72, bad ip
cksum 0! -> c48a)
This is the error as you can review.
I cannot find solution in Internet and the real think is that in many
others post people copy and paste packets and this error is visible but no
one think that is in effect an error or do not speak about.
I try some value on sysctl but no results.
Nice regards and thank you,
--
Name: Riccardo Giuntoli
Email: tag...@gmail.com
Location: Canyelles, BCN, EspaƱa
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net
