Routing between VPNs broken

Axel Rau Fri, 30 Oct 2020 03:47:25 -0700

Hi all,

I have 3 firewalls, all running OpenBSD 6.7, 2 are IPsec-clients one is the 
server.
After installing (unrelated?) syspatches (67-19, 67-20, 67-23 und 67-24) on the 
server and rebooting it after 2 months of uptime, I noticed, that routing 
between VPNs has been broken:


fw1# ipsecctl -s all
FLOWS:
flow esp in from 91.?.?.128/25 to 0.0.0.0/0 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.220.0/22 to 91.?.?.0/25 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.220.0/22 to 192.168.230.0/23 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.230.0/23 to 192.168.220.0/22 peer 217.?.?.? srcid 
fw.bu.some.domain dstid router.nussberg.de type require
flow esp out from 0.0.0.0/0 to 91.?.?.128/25 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp out from 91.?.?.0/25 to 192.168.220.0/22 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp out from 192.168.220.0/22 to 192.168.230.0/23 peer 217.?.?.? srcid 
fw.bu.some.domain dstid router.nussberg.de type require
flow esp out from 192.168.230.0/23 to 192.168.220.0/22 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 2a05:?:?:10::/60 to 2000::/3 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require

On the server, when I ping one client, it tries to bypass the IPsec flow and 
gos out upstream, which is blocked by pf.
It seems, routing continues to work between one client side and net on the 
server after re-keying if there exist tcp connections between the nets.
On the other client side, often the VPN is idle und routing gets lost, even if 
tried to work around with a host route.

I refused to use routing protocols in the past, because I dont’t like them on 
the firewall.

What is the recommended reliable solution for this scenario? ospf?

Any help very appreciated,
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

signature.asc
Description: Message signed with OpenPGP

Routing between VPNs broken

Reply via email to