after upgrade to 6.9, iked does not pass traffic

Leclerc, Sebastien Thu, 27 May 2021 11:11:50 -0700

Hello,

I have a vpn from a Windows machine to a network behind an OpenBSD router. It 
was working fine until I upgraded the router to 6.9 (amd64).
The VPN is still coming up fine, but the traffic is blocked somehow. Using 
tcpdump on the interface protected by the router (vlan0 in my case), I see the 
ping requests from the remote vpn address, and the ping replies, but on enc0 I 
only see the requests. I confirmed that pf is not blocking packets.


My setup :

Remote Windows machine : fixed IP address 192.168.1.109

OpenBSD router :
bge0 192.168.8.2
vlan0 192.168.9.2
also arp -s 192.168.9.208 12:34:56:ab:cd:ef permanent pub

iked.conf :
set nomobike
ikev2 "windows" passive esp \
        from 192.168.8.2 to 192.168.1.109 \
        from 192.168.9.0/24 to 192.168.9.208 \
        local 192.168.8.2 peer 192.168.1.109 \
        srcid 192.168.8.2 \
        rsa \
        config address 192.168.9.208 \
        config netmask 255.255.255.0 \
        config name-server 192.168.1.222 \
        config netbios-server 192.168.1.222

netstat -rn -inet (removing unrelated interfaces) :
Name    Mtu   Network     Address              Ipkts Ierrs    Opkts Oerrs Colls 
Time
lo0     32768 <Link>                               0     0        0     0     0 
   0
lo0     32768 ::1/128     ::1                      0     0        0     0     0 
   0
lo0     32768 fe80::%lo0/ fe80::1%lo0              0     0        0     0     0 
   0
lo0     32768 127/8       127.0.0.1                0     0        0     0     0 
   0
bge0    1500  <Link>      12:34:56:ab:cd:ef 167154089     0 36267061     0     
0    0
bge0    1500  192.168.8/2 192.168.8.2       167154089     0 36267061     0     
0    0
enc0*   0     <Link>                             140     0        0     0     0 
   0
vlan0   1500  <Link>      12:34:56:ab:cd:ef 126698124     0      360     0     
0    0
vlan0   1500  192.168.9/2 192.168.9.2       126698124     0      360     0     
0    0
pflog0  33136 <Link>                               0     0  1642609     0     0 
   0

Log extract :
May 27 08:10:20 mymachine iked[14895]: spi=0x41f8d1c369853156: recv IKE_SA_INIT 
req 0 peer 192.168.1.109:500 local 192.168.8.2:500, 528 bytes, policy 'windows'
May 27 08:10:20 mymachine iked[14895]: spi=0x41f8d1c369853156: send IKE_SA_INIT 
res 0 peer 192.168.1.109:500 local 192.168.8.2:500, 278 bytes
May 27 08:10:20 mymachine iked[14895]: spi=0x41f8d1c369853156: recv IKE_AUTH 
req 1 peer 192.168.1.109:500 local 192.168.8.2:500, 7440 bytes, policy 'windows'
May 27 08:10:20 mymachine iked[14895]: spi=0x41f8d1c369853156: send IKE_AUTH 
res 1 peer 192.168.1.109:500 local 192.168.8.2:500, 1600 bytes
May 27 08:10:20 mymachine iked[14895]: spi=0x41f8d1c369853156: 
ikev2_childsa_enable: loaded SPIs: 0x6487e520, 0x36d4127b (enc aes-256 auth 
hmac-sha1)
May 27 08:10:20 mymachine iked[14895]: spi=0x41f8d1c369853156: established peer 
192.168.1.109:500[ASN1_DN//C=CA/ST=Quebec/L=Somewhere/O=Org/OU=Department/CN=192.168.1.109/emailAddress=xyz@domain.local]
 local 192.168.8.2:500[IPV4/192.168.8.2] policy 'windows' as responder (enc 
aes-256 auth hmac-sha2-256 group modp1024 prf hmac-sha2-256)

doas tcpdump -nni enc0
tcpdump: listening on enc0, link-type ENC
08:48:05.289341 (authentic,confidential): SPI 0x11aad700: 192.168.9.208 > 
192.168.9.101: icmp: echo request (encap)
08:48:09.914843 (authentic,confidential): SPI 0x11aad700: 192.168.9.208 > 
192.168.9.101: icmp: echo request (encap)
08:48:14.914988 (authentic,confidential): SPI 0x11aad700: 192.168.9.208 > 
192.168.9.101: icmp: echo request (encap)
08:48:19.915348 (authentic,confidential): SPI 0x11aad700: 192.168.9.208 > 
192.168.9.101: icmp: echo request (encap)
^C
4 packets received by filter
0 packets dropped by kernel

tcpdump -nni vlan0 host 192.168.9.208
tcpdump: listening on vlan0, link-type EN10MB
09:12:21.467671 192.168.9.208 > 192.168.9.101: icmp: echo request
09:12:21.468371 arp who-has 192.168.9.208 tell 192.168.9.101
09:12:21.468386 arp reply 192.168.9.208 is-at ec:eb:b8:5d:94:a0
09:12:21.468937 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:21.468961 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:26.410587 192.168.9.208 > 192.168.9.101: icmp: echo request
09:12:26.411144 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:26.411168 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:31.414257 192.168.9.208 > 192.168.9.101: icmp: echo request
09:12:31.415117 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:31.415141 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:36.409094 192.168.9.208 > 192.168.9.101: icmp: echo request
09:12:36.409680 192.168.9.101 > 192.168.9.208: icmp: echo reply
09:12:36.409705 192.168.9.101 > 192.168.9.208: icmp: echo reply
^C
3134 packets received by filter
0 packets dropped by kernel

Thanks!

Sebastien Leclerc

after upgrade to 6.9, iked does not pass traffic

Reply via email to