subject:"Re\: Problem With Default Route Over IPSEC Site\-To\-Site Tunnel VPN"

Re: Problem With Default Route Over IPSEC Site-To-Site Tunnel VPN

2014-12-16 Thread Joe Crivello

I received a request to share my updated configuration, so I thought I
would send it to the list in case others might also find it useful.

## Router 1
# cat /etc/hostname.gre0
169.254.0.1 169.254.0.2 netmask 0x link0 up
tunnel 172.16.5.1 172.16.5.2
!route add -net 172.16.6.0/24 169.254.0.2
!route add -net 172.16.7.0/24 169.254.0.2

# cat /etc/ipsec.conf
ike passive esp transport \
from 172.16.5.1 to 172.16.5.2 \
main auth hmac-sha2-512 enc aes-256 group modp2048 \
quick auth hmac-sha2-512 enc aes-256-ctr group modp2048 \
srcid "" \
dstid ""

# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
kern.bufcachepercent=50
net.inet.ip.ifq.maxlen=2048

# cat /etc/rc.conf.local
ipsec=YES

isakmpd_flags="-K -T"

# ifconfig

gre0: flags=29011 mtu 1476
priority: 0
groups: gre
tunnel: inet 172.16.5.1 -> 172.16.5.2
inet 169.254.0.1 --> 169.254.0.2 netmask 0x

# ipsecctl -sa
FLOWS:
flow esp in from 172.16.5.2 to 172.16.5.1 peer 172.16.5.2 srcid  dstid  type use
flow esp out from 172.16.5.1 to 172.16.5.2 peer 172.16.5.2 srcid  dstid  type require

SAD:
esp transport from 172.16.5.1 to 172.16.5.2 spi 0x6b898652 auth
hmac-sha2-512 enc aes-256-ctr
esp transport from 172.16.5.2 to 172.16.5.1 spi 0xf4bff52e auth
hmac-sha2-512 enc aes-256-ctr

# route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default UGS 1125  6077357 - 8
vlan0

169.254.0.1127.0.0.1  UHl00 - 1 lo0
169.254.0.2169.254.0.1UH 2   100720 - 4 gre0

172.16.5/24link#11UC 10 - 4
vlan7
172.16.5.1  UHLl   00 - 1 lo0
172.16.5.2  UHLc   2   113643 - L   4
vlan7
172.16.6/24169.254.0.2UGS02 - 8 gre0
172.16.7/24169.254.0.2UGS0 5928 - 8 gre0


Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
172.16.5.2/32  0 172.16.5.1/32  0 0
172.16.5.2/esp/use/in
172.16.5.1/32  0 172.16.5.2/32  0 0
172.16.5.2/esp/require/out

## Router 2
# cat /etc/hostname.gre0
169.254.0.2 169.254.0.1 netmask 0x link0 up
tunnel 172.16.5.2 172.16.5.1
!route add -net default 169.254.0.1

# cat /etc/ipsec.conf
ike esp transport \
from 172.16.5.2 to 172.16.5.1 \
main auth hmac-sha2-512 enc aes-256 group modp2048 \
quick auth hmac-sha2-512 enc aes-256-ctr group modp2048 \
srcid "" \
dstid ""

# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
kern.bufcachepercent=50
net.inet.ip.ifq.maxlen=1024

# cat /etc/rc.conf.local
ipsec=YES

isakmpd_flags="-K -T"

# ifconfig

gre0: flags=29011 mtu 1476
priority: 0
groups: gre egress
tunnel: inet 172.16.5.2 -> 172.16.5.1
inet 169.254.0.2 --> 169.254.0.1 netmask 0x

# ipsecctl -sa
FLOWS:
flow esp in from 172.16.5.1 to 172.16.5.2 peer 172.16.5.1 srcid  dstid  type use
flow esp out from 172.16.5.2 to 172.16.5.1 peer 172.16.5.1 srcid  dstid  type require

SAD:
esp transport from 172.16.5.1 to 172.16.5.2 spi 0x6b898652 auth
hmac-sha2-512 enc aes-256-ctr
esp transport from 172.16.5.2 to 172.16.5.1 spi 0xf4bff52e auth
hmac-sha2-512 enc aes-256-ctr

# route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default169.254.0.1UGS485718 - 8 gre0

169.254.0.1169.254.0.2UH 10 - 4 gre0
169.254.0.2127.0.0.1  UHl00 - 1 lo0
172.16.5/24link#4 UC 20 - 4
vlan0
172.16.5.1  UHLc   285781 - 4
vlan0
172.16.5.2  HLl00 - 1 lo0
172.16.5.3  HLl00 - 1 lo0
172.16.5.21 UHLc   02 - 4
vlan0
172.16.6/24link#5 UC 00 - 4
vlan1
172.16.6.1  HLl00 - 1 lo0
172.16.7/24link#6 UC 00 - 4
vlan2
172.16.7.1  HLl00 - 1 lo0


Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
172.16.5.1/32  0 172.16.5.2/32  0 0
172.16.5.1/esp/use/in
172.16.5.2/32  0 172.16.5.1/32  0 0
172.16.5.1/esp/require/out

On Tue, Dec 16, 2014 at 11:05 AM, Joseph Crivello 
wrote:
>
> I was able to resolve my own problem.
>
> The solution I found was to create a gre tunnel between the two routers
> using the gre(4) pseudo-device. Once I had that working, I used IPSEC
> transport mode to pr

Re: Problem With Default Route Over IPSEC Site-To-Site Tunnel VPN

2014-12-16 Thread Joseph Crivello

I was able to resolve my own problem.

The solution I found was to create a gre tunnel between the two routers
using the gre(4) pseudo-device. Once I had that working, I used IPSEC
transport mode to protect the GRE tunnel. This method eliminates all default
encap routes from both routers; which was the root cause of the problem.

-Joe

-Original Message-
From: Joe Crivello [mailto:josephcrive...@gmail.com] 
Sent: Monday, December 15, 2014 2:24 PM
Subject: Problem With Default Route Over IPSEC Site-To-Site Tunnel VPN

Hello,

I am having a problem with a particular aspect of my attempt to establish an
IPSEC site-to-site tunnel between two gateways using ISAKMPD/IKEv1. I seem
to be doing something wrong, but I have exhausted all of the resources that
I know of in my quest to fix the problem (MAN pages, OpenBSD.org FAQ,
Google, etc). I am hoping that someone with more OpenBSD experience than
myself will be able to help me... either way, thanks so much for your time!

The routers in question both run OpenBSD 5.6, situated at either end of long
range wifi bridge link. Router "1" also has a interface connecting to an ISP
router, which provides a route to the Internet:

Internet <==> Router 1
  172.16.5.1
 ||
Wifi
 ||
  172.16.5.2
  Router 2 <==> Local Networks
(172.16.6.1/24, 172.16.7.1/24)

The intention is to establish an IPSEC tunnel between Router 1 and Router 2,
over which Router 2 should send all traffic not destined for one of it's
local networks. Accordingly, I set the default route of Router 2 to
172.16.5.1, and I configured the tunnel like so:

## Router 1

ike passive esp \
from any to { 172.16.5.2/32, 172.16.6.0/24, 172.16.7.0/24 } \
local 172.16.5.1 peer 172.16.5.2 \
main auth hmac-sha2-512 enc aes-256 group modp2048 \
quick auth hmac-sha2-512 enc aes-256-ctr group modp2048 \
srcid "" \
dstid ""

## Router 2

ike active esp \
from { 172.16.5.2/32, 172.16.6.0/24, 172.16.7.0/24 } to any \
local 172.16.5.2 peer 172.16.5.1 \
main auth hmac-sha2-512 enc aes-256 group modp2048 \
quick auth hmac-sha2-512 enc aes-256-ctr group modp2048 \
srcid "" \
dstid ""

This configuration (correctly) causes six SAs to be established:

## Router 1

# ipsecctl -sa
FLOWS:
flow esp in from 172.16.5.2 to 0.0.0.0/0 peer 172.16.5.2 srcid  dstid  type use flow esp out from 0.0.0.0/0 to
172.16.5.2 peer 172.16.5.2 srcid  dstid  type require flow esp in from 172.16.7.0/24
to 0.0.0.0/0 peer 172.16.5.2 srcid  dstid  type use flow esp out from 0.0.0.0/0 to
172.16.7.0/24 peer 172.16.5.2 srcid  dstid  type require flow esp in from 172.16.6.0/24
to 0.0.0.0/0 peer 172.16.5.2 srcid  dstid  type use flow esp out from 0.0.0.0/0 to
172.16.6.0/24 peer 172.16.5.2 srcid  dstid  type require

SAD:
esp tunnel from 172.16.5.2 to 172.16.5.1 spi 0x0eec4a02 auth hmac-sha2-512
enc aes-256-ctr esp tunnel from 172.16.5.1 to 172.16.5.2 spi 0x1cde0906 auth
hmac-sha2-512 enc aes-256-ctr esp tunnel from 172.16.5.2 to 172.16.5.1 spi
0x6769c99e auth hmac-sha2-512 enc aes-256-ctr esp tunnel from 172.16.5.2 to
172.16.5.1 spi 0xad29e69c auth hmac-sha2-512 enc aes-256-ctr esp tunnel from
172.16.5.1 to 172.16.5.2 spi 0xaf8c3502 auth hmac-sha2-512 enc aes-256-ctr
esp tunnel from 172.16.5.1 to 172.16.5.2 spi 0xcdad877e auth hmac-sha2-512
enc aes-256-ctr

## Router 2

# ipsecctl -sa
FLOWS:
flow esp in from 0.0.0.0/0 to 172.16.5.2 peer 172.16.5.1 srcid  dstid  type use flow esp out from 172.16.5.2 to
0.0.0.0/0 peer 172.16.5.1 srcid  dstid  type require flow esp in from 0.0.0.0/0 to
172.16.7.0/24 peer 172.16.5.1 srcid  dstid  type use flow esp out from 172.16.7.0/24 to
0.0.0.0/0 peer 172.16.5.1 srcid  dstid  type require flow esp in from 0.0.0.0/0 to
172.16.6.0/24 peer 172.16.5.1 srcid  dstid  type use flow esp out from 172.16.6.0/24 to
0.0.0.0/0 peer 172.16.5.1 srcid  dstid  type require

SAD:
esp tunnel from 172.16.5.2 to 172.16.5.1 spi 0x0eec4a02 auth hmac-sha2-512
enc aes-256-ctr esp tunnel from 172.16.5.1 to 172.16.5.2 spi 0x1cde0906 auth
hmac-sha2-512 enc aes-256-ctr esp tunnel from 172.16.5.2 to 172.16.5.1 spi
0x6769c99e auth hmac-sha2-512 enc aes-256-ctr esp tunnel from 172.16.5.2 to
172.16.5.1 spi 0xad29e69c auth hmac-sha2-512 enc aes-256-ctr esp tunnel from
172.16.5.1 to 172.16.5.2 spi 0xaf8c3502 auth hmac-sha2-512 enc aes-256-ctr
esp tunnel from 172.16.5.1 to 172.16.5.2 spi 0xcdad877e auth hmac-sha2-512
enc aes-256-ctr

The problem is that as soon as these flows are established, Router 2 becomes
unreachable from all of it's local networks (and vice-versa). This appears
to occur because the flows specify that all traffic originating from Router
2's IP addresses (172.16.5.2, 172.16.6.1, and 172.16.7.1) should be
protected with ESP. Thus, Router 2 starts to encapsulate all traffic
originating from it's IPs, even if it is destined for one of it's lo

Re: Problem With Default Route Over IPSEC Site-To-Site Tunnel VPN

Re: Problem With Default Route Over IPSEC Site-To-Site Tunnel VPN

2 matches

Site Navigation

Mail list logo

Footer information