What other information can I provide on this?
-HKS
On Tue, Oct 21, 2008 at 3:13 PM, (private) HKS <[EMAIL PROTECTED]> wrote:
> OpenBSD 4.3.
>
> I'm trying to get a couple IPSec VPNs up and am running into
> increasingly bizarre behavior in my test environment. The current
> issue is that packets are being sent encoded with the wrong SPI.
>
> Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16.
> Router B has one interface: 10.123.0.48/24.
>
> I can get A and B encrypting traffic between 10.123.0.46 and
> 10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16
> the SPIs start getting mixed up. Specifically, pings from 10.123.0.46
> (A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to
> eliminate isakmpd as a source of other issues (that were probably my
> fault somehow). The keys are the defaults included in the ipsec.conf
> example since this is a test environment.
>
> Here is router A's ipsec.conf:
> --
> flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
> 10.123.0.48 type require
> esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001
> authkey
> 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
> enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
>
> flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
> esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001
> authkey
> 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
> enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
> --
>
> Output from router A's ipsecctl -sa looks like you would expect:
> --
> FLOWS:
> flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require
> flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
> flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer
> 10.123.0.48 type require
> flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
> 10.123.0.48 type require
>
> SAD:
> esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth
> hmac-sha2-256 enc aes
> --
>
> Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and
> tcpdump -i enc0 shows this:
> --
> tcpdump: listening on enc0, link-type ENC
> 09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46
>> 10.123.0.48: icmp: echo request (encap)
> 09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46
>> 10.123.0.48: icmp: echo request (encap)
> 09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46
>> 10.123.0.48: icmp: echo request (encap)
> 09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46
>> 10.123.0.48: icmp: echo request (encap)
> --
>
> Which is clearly the wrong SPI. If I try to ping in the reverse
> direction, B sends its packets with the correct SPI while the replies
> are encoded for 0x00010004. Removing the subnet lines from ipsec.conf
> corrects this issue.
>
> Is this a bug in IPsec or something I'm doing wrong?
>
> Thanks for the help. dmesg follows.
>
> -HKS
>
>
> OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz ("GenuineIntel"
> 686-class) 2.33 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL
> real mem = 267939840 (255MB)
> avail mem = 251031552 (239MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @
> 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 12/06/2006
> bios0: VMware, Inc. VMware Virtual Platform
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown
> acpi at bios0 function 0x0 not configured
> pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
> pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #2 is the last bus
> bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xc9000/0x1000
> 0xdc000/0x4000! 0xe0000/0x4000!
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
> pci1 at ppb0 bus 1
> piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> channel 0 configured to compatibility, channel 1 configured to
> compatibility
> wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive>
> wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0: <HC2281Q, NCF700G, 1.01> SCSI0 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x00: irq 9
> piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
> disabled
> vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: irq 11
> scsibus1 at mpi0: 16 targets
> ppb1 at pci0 dev 17 function 0 "VMware Virtual PCI-PCI bridge" rev 0x01
> pci2 at ppb1 bus 2
> vic0 at pci2 dev 0 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 10,
> address 00:0c:29:a3:72:c2
> eap0 at pci2 dev 1 function 0 "Ensoniq AudioPCI97" rev 0x02: irq 9
> ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3)
> audio0 at eap0
> midi0 at eap0: <AudioPCI MIDI UART>
> ehci0 at pci2 dev 2 function 0 "VMware Virtual EHCI" rev 0x00: irq 5
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "VMware EHCI root hub" rev 2.00/1.00 addr 1
> vic1 at pci2 dev 3 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 11,
> address 00:0c:29:a3:72:cc
> isa0 at piixpcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pmsi0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pmsi0 mux 0
> pcppi0 at isa0 port 0x61
> midi1 at pcppi0: <PC speaker>
> spkr0 at pcppi0
> lpt0 at isa0 port 0x378/4 irq 7
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> biomask eb65 netmask ef65 ttymask ffe7
> mtrr: Pentium Pro MTRR support
> softraid0 at root
> root on wd0a swap on wd0b dump on wd0b
> nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
