Hi Tobias,
I put below the full configuration and the flows as well with the 6.6
binary and switch to the 6.7 binary without any other changes as well as
the full config.
The config may be a bit weird at first as I tunnel routable IP's over
the iked over a Verizon Fios line. You can't get routable IP's from Fios
and I have needs for it. So that was my way around it for years now.
Anyway, here below:
gateway$ doas cat /etc/ipsec.conf
flow esp out from ::/0 to ::/0 type deny
flow esp from 66.63.44.64/27 to 66.63.44.96/28 type bypass
flow esp from 66.63.44.96/28 to 66.63.44.64/27 type bypass
flow esp from 66.63.44.67 to 66.63.44.97 type bypass
flow esp from 66.63.44.90 to 66.63.44.97 type bypass
(This above was to allow the two local subnet to take to one an other as
they are in different dmz. I can delete that config and it changed
nothing anyway. Just wanted to write why in case you wonder.)
gateway$ doas cat /etc/iked.conf
# All IP from 66.63.44.79 are Etienne computer to Riot on AS 6507 in
Ashburn.
ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com
ikev2 "Flow" active \
from re1 to tunnel.realconnect.com \
from re1 to stats.realconnect.com \
from 66.63.44.66 to 0.0.0.0/0 \
from 66.63.44.67 to 66.63.0.0/18 \
from home.ouellet.us to 0.0.0.0/0 \
from 66.63.44.96/28 to 0.0.0.0/0 \
from 66.63.44.79 to 43.229.64.0/22 \
from 66.63.44.79 to 45.7.36.0/22 \
from 66.63.44.79 to 103.240.224.0/22 \
from 66.63.44.79 to 104.160.128.0/19 \
from 66.63.44.79 to 162.249.72.0/21 \
from 66.63.44.79 to 185.40.64.0/22 \
from 66.63.44.79 to 192.64.168.0/21 \
peer tunnel.realconnect.com
(Here above for the 66.63.44.79, again a weird stuff, that's only for my
older son. When he play LoL over Fios it suck! But when I tunnel it to
my tunnel and then directly to Equinix where Riot is and I peer at, all
is great and hard to believe I am sure, but latency is much lower. Again
not relevant, just in case you wonder. I know, it's stupid, but I do a
lots of work from home and I need to keep the family happy too. (;)
On 6/16/20 6:09 AM, Tobias Heider wrote:
> Hi Daniel,
>
> On Mon, Jun 15, 2020 at 08:04:43PM -0400, Daniel Ouellet wrote:
>>> Probably related to the following change documented in
>>> https://www.openbsd.org/faq/upgrade67.html:
>>>
>>> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by
>>> iked(8) or
>>> isakmpd(8) was changed from "use" to "require". This means unencrypted
>>> traffic
>>> matching the flows will no longer be accepted. Flows of type "use" can
>>> still be
>>> set up manually in ipsec.conf(5).
>>
>> I have what appear to be similar problem. I used iked form 5.6 all the
>> way to 6.6 no problem, wel some, but I worked it out. All in archive.
>>
>> But going from 6.6 to 6.7 I can't get it to work anymore. Nothing
>> changed, same configuration, just a sysupgrade and that's it.
>>
>> I read this and I can understand the words, but may be I am think, but I
>> don't understand what to do with it.
>
> The default behavior if IPsec flows was changed to not accept unencrypted
> packets matching a registered flow.
> You can list your flows with 'ipsecctl -sf'.
gateway$ doas ipsecctl -sf
flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 43.229.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 45.7.36.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 72.83.103.147 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 103.240.224.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 104.160.128.0/19 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 162.249.72.0/21 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 185.40.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 192.64.168.0/21 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 43.229.64.0/22 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 45.7.36.0/22 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 103.240.224.0/22 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 104.160.128.0/19 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 162.249.72.0/21 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 185.40.64.0/22 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 192.64.168.0/21 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 72.83.103.147 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from ::/0 to ::/0 type deny
>>
>> I see the require type modifier in ipsec.conf man page, not into
>> iked.conf man page.
>>
>> Do you mean what ever rules we had in iked.conf needs to be in
>> ipsec.conf now?
>
> No, that won't work.
>
>>
>> I am really sorry if I don't follow the meaning or what you tried to
>> say, but how can this be fix, or changed?
>>
>
> To help you I will need to know a bit more about your setup.
> In particular the architecture of your network, your iked.conf and
> the output of 'ipsecctl -sa' would be helpful.
> A more detailed description of what exactly does not work would also help.
gateway$ doas ipsecctl -sa
FLOWS:
flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 43.229.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 45.7.36.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 72.83.103.147 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 103.240.224.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 104.160.128.0/19 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 162.249.72.0/21 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 185.40.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 192.64.168.0/21 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 43.229.64.0/22 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 45.7.36.0/22 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 103.240.224.0/22 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 104.160.128.0/19 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 162.249.72.0/21 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 185.40.64.0/22 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.79 to 192.64.168.0/21 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 72.83.103.147 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from ::/0 to ::/0 type deny
SAD:
esp tunnel from 66.63.5.250 to 72.83.103.147 spi 0x9f629698 auth
hmac-sha2-256 enc aes-256
esp tunnel from 72.83.103.147 to 66.63.5.250 spi 0xba228cb0 auth
hmac-sha2-256 enc aes-256
esp tunnel from 66.63.5.250 to 72.83.103.147 spi 0xc44b9bb8 auth
hmac-sha2-256 enc aes-256
esp tunnel from 72.83.103.147 to 66.63.5.250 spi 0xc5d5aa26 auth
hmac-sha2-256 enc aes-256
============================
Now if I put the iked 6.7 binary instead, I see the traffic going out,
enter the remote tunnel, getting out of the tunnel to come back, but
never coming in the gateway unit.
Nothing changed, just the binary 6.7 replacing the binary 6.6
See full display of step by step with proof of binary in use and all.
Cut and paste from the terminal as is. I can't never get a flow going on
6.7 with the exact same configuration as 6.6. Just using 6.6 works as
is. So I obviously do something wrong, just can't say what and I have to
say, it's most likely really stupid, but I can't see it.
gateway$ ls -l /sbin/iked*
-r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked
-r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked.66
-r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked.67
gateway$ date
Tue Jun 16 12:51:13 EDT 2020
gateway$ doas /etc/rc.d/iked stop
iked(ok)
gateway$ doas cp -p /sbin/iked.67 /sbin/iked
gateway$ doas /etc/rc.d/iked start
iked(ok)
gateway$ doas ipsecctl -sa
FLOWS:
No flows
SAD:
No entries
gateway$ date
Tue Jun 16 12:51:54 EDT 2020
gateway$ ls -l /sbin/iked*
-r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked
-r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked.66
-r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked.67
>> My guess is that it is simple and I don't think about it properly, but I
>> am hitting a road block trying to figure it out.
>>
>> I am a bit at a lost and any clue stick would be greatly appreciated.
>>
>> Thanks
>>
>> Daniel
>>
>
> - Tobias
>
