Re: Terminate IPSEC tunnel in virtual routing domain
On Tue, May 17 2011 at 39:21, patrick.oesch...@bluewin.ch wrote: ...gives me some headache... system1: (openbsd 4.9) em0 192.168.1.54 (same /24 subnet as system2) /etc/isakmpd/isakmpd. conf: Listen-on= 192.168.1.54 isakmpd -K system2: (openbsd 4.9) em0 192.168.1.200 (same /24 subnet as system1) /etc/isakmpd/isakmpd.conf Listen-on= 192.168.1.200 isakmpd -K as long as em0 on system2 is in rdomain 0 (zero) everything seems fine and using tcpdump i can see bi-directional traffic on UDP/500 as soon as i put em0 on system2 into rdomain 1 using 'ifconfig em0 192.168.1.200 rdomain 1' my headache starts... Did you run isakmpd on rdomain 1? (as precised in another mail) route -T1 exec isakmpd -K The second step would be more problematic, I dont think that enc(4) supports rdomain yet. [...] anybody having experience in terminating a IPSEC tunnel in a routing domain? (virtual firewall setup) maybe i should try GRE with IPSEC on top of that...(?) Setting up gif on rdomain on top of ipsec works. Hope this helps :) Claer
Re: Terminate IPSEC tunnel in virtual routing domain
Hi, running IPsec in multiple rdomains is supported since about a year and should work just fine. iked(8) has extended support for it but it should also work with isakmpd(8). - You need to create an enc(4) interface for the non-default rdomain. Traffic will only flow if there is an enc(4) interface and enc0 in rdomain 0 is still created by default. # ifconfig enc1 rdomain 1 up - The order you execute the commands at runtime is important. First create the enc(4) interface (or put it in hostname.if), then configure the rdomain on em0, then configure the IP on it and finally start isakmpd in the right rdomain. I would also suggest to run isakmpd with the -4 options since rdomains are IPv4-only for now (ask claudio@ if you want to have IPv6-rdomains). # ifconfig em0 192.168.1.200 rdomain 1 # route -T 1 exec isakmpd -4 -K - As you see above, you need to run isakmpd in rdomain 1 by setting its process context to rdomain 1. Just running isakmpd -K in a normal shell will execute it in rdomain 0. The process rdomain is inherited from the parent process, so you could also do # route -T 1 exec sh # isakmpd -4 -K - To see the flows and SAs you need to do the same with ipsecctl: # route -T 1 exec ipsecctl -s all - I so much prefer route -T 1 show -inet over netstat -rn -T 1 -f inet but maybe this is just a matter of taste. netstat -an is not rdomain-aware yet. reyk On Tue, May 17, 2011 at 09:39:26PM +, patrick.oesch...@bluewin.ch wrote: ...gives me some headache... system1: (openbsd 4.9) em0 192.168.1.54 (same /24 subnet as system2) /etc/isakmpd/isakmpd. conf: Listen-on= 192.168.1.54 isakmpd -K system2: (openbsd 4.9) em0 192.168.1.200 (same /24 subnet as system1) /etc/isakmpd/isakmpd.conf Listen-on= 192.168.1.200 isakmpd -K as long as em0 on system2 is in rdomain 0 (zero) everything seems fine and using tcpdump i can see bi-directional traffic on UDP/500 as soon as i put em0 on system2 into rdomain 1 using 'ifconfig em0 192.168.1.200 rdomain 1' my headache starts... i can check routing for domain 1 using 'netstat -rn -T1' i can ping 192.168.1.200 using 'ping -V1 192.168.1.200' *but* i do no longer see em0 in 'netstat -an -f inet' so i am not able to see if the listener for UDP/500 started on the em0 interface (only interfaces in rdomain 0 (zero) are displayed) bi-directional traffic for port UDP/500 stops anybody having experience in terminating a IPSEC tunnel in a routing domain? (virtual firewall setup) maybe i should try GRE with IPSEC on top of that...(?) thank you /pat
Re: Terminate IPSEC tunnel in virtual routing domain
Not sure about this but try doing it this way: route -T 1 exec netstat -an -f inet from man route... J On Tue, May 17, 2011 at 2:39 PM, patrick.oesch...@bluewin.ch patrick.oesch...@bluewin.ch wrote: ...gives me some headache... system1: (openbsd 4.9) em0 192.168.1.54 (same /24 subnet as system2) /etc/isakmpd/isakmpd. conf: Listen-on= 192.168.1.54 isakmpd -K system2: (openbsd 4.9) em0 192.168.1.200 (same /24 subnet as system1) /etc/isakmpd/isakmpd.conf Listen-on= 192.168.1.200 isakmpd -K as long as em0 on system2 is in rdomain 0 (zero) everything seems fine and using tcpdump i can see bi-directional traffic on UDP/500 as soon as i put em0 on system2 into rdomain 1 using 'ifconfig em0 192.168.1.200 rdomain 1' my headache starts... i can check routing for domain 1 using 'netstat -rn -T1' i can ping 192.168.1.200 using 'ping -V1 192.168.1.200' *but* i do no longer see em0 in 'netstat -an -f inet' so i am not able to see if the listener for UDP/500 started on the em0 interface (only interfaces in rdomain 0 (zero) are displayed) bi-directional traffic for port UDP/500 stops anybody having experience in terminating a IPSEC tunnel in a routing domain? (virtual firewall setup) maybe i should try GRE with IPSEC on top of that...(?) thank you /pat
Re: Terminate IPSEC tunnel in virtual routing domain
2011/5/17 James Records james.reco...@gmail.com: Not sure about this but try doing it this way: route -T 1 exec netstat -an -f inet Peeking at the netstat code the -a uses kread(), which signs people are afraid of it and those parts are to be rewritten using some standardized sysctl() interface, and then rdomain compatible. And netstat -T1 and route -T1 exec netstat should be equivalent, IMO. This needs to be confirmed by some developer though. Otherwise it's just a piece of gossip. as long as em0 on system2 is in rdomain 0 (zero) everything seems fine and using tcpdump i can see bi-directional traffic on UDP/500 as soon as i put em0 on system2 into rdomain 1 using 'ifconfig em0 192.168.1.200 rdomain 1' my headache starts... i can check routing for domain 1 using 'netstat -rn -T1' i can ping 192.168.1.200 using 'ping -V1 192.168.1.200' *but* i do no longer see em0 in 'netstat -an -f inet' so i am not able to see if the listener for UDP/500 started on the em0 interface (only interfaces in rdomain 0 (zero) are displayed) bi-directional traffic for port UDP/500 stops Is the isakmpd process still running? Did you really run it like 'route -T1 exec isakmpd'? Because with httpd it seems to work fine for me (different setup, but works). netstat -a displays all of them all the time. maybe i should try GRE with IPSEC on top of that...(?) Not sure it'd help. -- Martin Pelikan