Guys, I have problem with IPSEC tunnel on OpenBSD 4.7-stable
I have ipsec vpn tunnel established between my gateway (default and
only one gateway for my internal network) and other ipsec peer.
I need allow clients from my internal network access to peer's
internal host (ZZZ.ZZZ.ZZZ.ZZZ) and use my lo1 IP address (using NAT)
and I have to use same outgoing IP for all clients, so I decided to
use NAT on loopback interface.
1) First question -is it good idea to use this configuration for this goal?
That's net to net tunnel, where my side network is lo1 interface network.
I'm able to connect from gateway host to remote network host, but not
from my local network :(
My configuration:
# sysctl -a | grep ip.forward
net.inet.ip.forwarding=1
# cat /etc/hostname.em0
inet XXX.XXX.XXX.XXX 255.255.255.224 description "External interface"
# cat /etc/hostname.lo1
inet 172.16.95.1 255.255.255.252 172.16.95.3 description "Loop back interface"
# cat /etc/hostname.bge0
inet 192.168.0.1 255.255.255.0 description "Internal interface"
# ifconfig -a
lo0: flags=8149<UP,LOOPBACK,RUNNING,PROMISC,MULTICAST> mtu 33160
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:18:71:ec:e2:27
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet XXX.XXX.XXX.XXX netmask 0xffffffe0 broadcast XXX.XXX.XXX.31
inet6 fe80::218:71ff:feec:e227%em0 prefixlen 64 scopeid 0x1
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:23:7d:aa:36:fe
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::223:7dff:feaa:36fe%bge0 prefixlen 64 scopeid 0x2
enc0: flags=141<UP,RUNNING,PROMISC> mtu 1536
priority: 0
lo1: flags=a149<UP,LOOPBACK,RUNNING,PROMISC,LINK1,MULTICAST> mtu 1300
priority: 0
groups: lo
inet 172.16.95.1 netmask 0xfffffffc
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
priority: 0
groups: pflog
# cat /etc/ipsec.conf
ike esp from 172.16.95.0/30 to ZZZ.ZZZ.ZZZ.ZZZ local XXX.XXX.XXX.XXX
peer YYY.YYY.YYY.YYY \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk "supersecret"
# ipsecctl -sa
FLOWS:
flow esp in from ZZZ.ZZZ.ZZZ.ZZZ to 172.16.95.1 peer YYY.YYY.YYY.YYY
srcid XXX.XXX.XXX.XXX/32 dstid YYY.YYY.YYY.YYY/32 type use
flow esp out from 172.16.95.1 to ZZZ.ZZZ.ZZZ.ZZZ peer YYY.YYY.YYY.YYY
srcid XXX.XXX.XXX.XXX/32 dstid YYY.YYY.YYY.YYY/32 type require
SAD:
esp tunnel from YYY.YYY.YYY.YYY to XXX.XXX.XXX.XXX spi 0xaef8f550 auth
hmac-sha1 enc 3des-cbc
esp tunnel from XXX.XXX.XXX.XXX to YYY.YYY.YYY.YYY spi 0xcacc183a auth
hmac-sha1 enc 3des-cbc
I'm able to connect to host in peer's network with telnet from gateway
using telnet:
# telnet -b 172.16.95.1 ZZZ.ZZZ.ZZZ.ZZZ 10000
Connected to ZZZ.ZZZ.ZZZ.ZZZ.
Escape character is '^]'.
# tcpdump -nei enc0
tcpdump: listening on enc0, link-type ENC
tcpdump: WARNING: compensating for unaligned libpcap packets
20:03:39.044938 (authentic,confidential): SPI 0x42be43c2:
172.16.95.1.23975 > YYY.YYY.YYY.YYY.10000: S 976012868:976012868(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp
242964717 0> (DF) [tos 0x10] (encap)
20:03:39.078097 (authentic,confidential): SPI 0x2b35c0b5:
YYY.YYY.YYY.YYY.10000 > 172.16.95.1.23975: S 2500928027:2500928027(0)
ack 976012869 win 49248 <nop,nop,timestamp 1480016770 242964717,mss
1380,nop,wscale 0,nop,nop,sackOK> (DF) (encap)
20:03:39.078121 (authentic,confidential): SPI 0x42be43c2:
172.16.95.1.23975 > YYY.YYY.YYY.YYY.10000: . ack 1 win 16384
<nop,nop,timestamp 242964717 1480016770> (DF) [tos 0x10] (encap)
==== netstat ====
# netstat -rn -f encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
ZZZ.ZZZ.ZZZ.ZZZ/32 0 172.16.95.1/32 0 0
YYY.YYY.YYY.YYY/esp/use/in
172.16.95.1/32 0 ZZZ.ZZZ.ZZZ.ZZZ/32 0 0
YYY.YYY.YYY.YYY/esp/require/out
=== My PF rules: ===
# cat /etc/pf.conf
set skip on {enc0, lo0}
# default rule
block log all
# nat
match out on lo1 inet proto tcp from 192.168.0.0/24 to ZZZ.ZZZ.ZZZ.ZZZ
port 10000 nat-to 172.16.95.1
# internal interface
pass on bge0
# loobpack interface
pass on lo1
# ipsec
pass in on em0 inet proto esp from YYY.YYY.YYY.YYY to XXX.XXX.XXX.XXX
pass in on em0 inet proto udp from YYY.YYY.YYY.YYY to XXX.XXX.XXX.XXX port 500
pass out on em0 inet proto esp from XXX.XXX.XXX.XXX to YYY.YYY.YYY.YYY
pass out on em0 inet proto udp from XXX.XXX.XXX.XXX to YYY.YYY.YYY.YYY port 500
# ipsec tunnel was started with :)
isakmpd -K
ipsecctl -f /etc/ipsec.conf
Finally when I'm trying to access same host with telnet from my client
machine in internal network:
# traceroute ZZZ.ZZZ.ZZZ.ZZZ
traceroute to 193.254.169.51 (193.254.169.51), 64 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.292 ms 0.227 ms 0.239 ms
# traceroute 172.16.95.1
traceroute to 172.16.95.1 (172.16.95.1), 64 hops max, 40 byte packets
1 172.16.95.1 (172.16.95.1) 0.295 ms 0.226 ms 0.239 ms
On gateway interfaces with tcpdump I see the next during trying to
connect with telnet:
# telnet ZZZ.ZZZ.ZZZ.ZZZ 10000
# tcpdump -nei bge0
I see requests from local machine to ZZZ.ZZZ.ZZZ.ZZZ
# tcpdump -nei lo1
I don's see packages there :(
# tcpdump -nei enc0
I don's see packages there :(
2) Can someone point me what's wrong with this configuration why from
local network traffic not goes to tunnel ? As I see there is little
misconfiguration and I spent much time, googled and re-read mail
archived for hours to find it, but no luck :(
Man ipsec.conf and FAQ don't help me :(
--
--
With regards,
Eugene Sudyr
