On 4 November 2014 17:06, Martin Larsson <martin.larss...@gmail.com> wrote:
> Hello!
>
> I've setup a tunnel between OpenBSD 5.6 using iked and an openwrt router
> running strongswan.
> The tunnel works great with ping and other traffic but traffic between the
> two external ip's dies.
>
> This is a site-to-site connection and nothing fancy.
>
> iked.conf on OpenBSD.
> ikev2 esp from $10.11.12.0/24 to $194.168.4.0/24 peer $tcgw srcid sippan.se
>
> # ipsecctl -sa
> FLOWS:
> flow esp in from 192.168.4.0/24 to 10.11.12.0/24 peer 82.17.12.21 srcid
> FQDN/sippan.se dstid FQDN/sswan.sippan.se type use
> flow esp out from 10.11.12.0/24 to 192.168.4.0/24 peer 82.17.12.21 srcid
> FQDN/sippan.se dstid FQDN/sswan.sippan.se type require
> flow esp out from ::/0 to ::/0 type deny
>
> SAD:
> esp tunnel from 82.17.12.21 to 130.51.23.4 spi 0x67483925 auth hmac-sha1
> enc aes
> esp tunnel from 130.51.23.4 to 82.17.12.21 spi 0xcf1f39d1 auth hmac-sha1
> enc aes
>
> # netstat -nr
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Mtu Prio
> Iface
> default 130.51.23.4 UGS 10 30430256 - 8 em0
> 10/8 link#5 UC 1 0 - 4
> vether0
> 10.11.12.13 fe:e1:ba:d0:d6:1c UHLl 0 1 - 1 lo0
> 10.255.255.255 link#5 UHLc 3 570 - 4
> vether0
> 82.17.12.21 130.51.23.4 UGHD 0 30430251 - L 56 em0
> 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
> 127.0.0.1 127.0.0.1 UH 1 6 32768 4 lo0
> 194.48.213.128/27 link#1 UC 1 0 - 4 em0
> 130.51.23.4 00:00:cd:19:95:16 UHLc 2 0 - 4 em0
> 130.51.23.4 00:02:b3:aa:cc:c3 HLl 0 0 - 1 lo0
> 224/4 127.0.0.1 URS 0 0 32768 8 lo0
>
> Internet6:
> -removed, dont use it-
>
> Encap:
> Source Port Destination Port Proto
> SA(Address/Proto/Type/Direction)
> 192.168.4/24 0 10.11.12/24 0 0
> 82.17.12.21/esp/use/in
> 10.11.12/24 0 192.168.4/24 0 0
> 82.17.12.21/esp/require/out
> default 0 default
> 0 0 none/esp/deny/out
>
> # tcpdump on openbsd while trying to connect with ssh to the external ip of
> the OpenBSD host from the exernal ip of the other end.
>
> # tcpdump host 82.17.12.21
> tcpdump: listening on em0, link-type EN10MB
> tcpdump: WARNING: compensating for unaligned libpcap packets
> 16:49:55.539903 egget.priv.lamest.se.54158 > loller.sippan.se.ssh: S
> 2729317717:2729317717(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
> (DF)
> 16:49:55.539932 loller.sippan.se.ssh > egget.priv.lamest.se.54158: S
> 2317435827:2317435827(0) ack 2729317718 win 16384 <mss
> 1240,nop,nop,sackOK,nop,wscale 3>
> 16:49:55.545936 egget.priv.lamest.se.54158 > loller.sippan.se.ssh: . ack 1
> win 256 (DF)
> 16:49:55.553927 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1
> seq 190 len 100
> 16:50:01.553883 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1
> seq 191 len 100
> 16:50:05.977468 esp egget.priv.lamest.se > loller.sippan.se spi 0x67483925
> seq 127 len 84 (DF)
> 16:50:05.977519 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1
> seq 192 len 84
>
>
> # tcpdump on enc0 while trying ssh and https
> tcpdump: listening on enc0, link-type ENC
> tcpdump: WARNING: compensating for unaligned libpcap packets
> 17:01:01.578622 (authentic,confidential): SPI 0xc31749f4:
> loller.sippan.se.ssh > egget.priv.lamest.se.54158: R
> 2317435850:2317435850(0) ack 2729317718 win 0 (encap)
> 17:01:05.786123 (authentic,confidential): SPI 0xc31749f4:
> loller.sippan.se.ssh > egget.priv.lamest.se.54792: P
> 3813334764:3813334785(21) ack 2711749548 win 2170 (encap)
> 17:01:05.968654 (authentic,confidential): SPI 0xc31749f4:
> loller.sippan.se.https > egget.priv.lamest.se.54793: P
> 3540908942:3540909100(158) ack 1840586787 win 2170 (encap)
> 17:01:06.265543 (authentic,confidential): SPI 0xc31749f4:
> loller.sippan.se.https > egget.priv.lamest.se.54793: . ack 1 win 2170
> (encap)
> 17:01:06.876165 (authentic,confidential): SPI 0xc31749f4:
> loller.sippan.se.https > egget.priv.lamest.se.54793: . ack 1 win 2170
> (encap)
> 17:01:08.095189 (authentic,confidential): SPI 0xc31749f4:
> loller.sippan.se.https > egget.priv.lamest.se.54793: . ack 1 win 2170
> (encap)
> 17:01:10.459116 (authentic,confidential): SPI 0xc31749f4:
> loller.sippan.se.https > egget.priv.lamest.se.54793: . ack 1 win 2170
> (encap)
>
> So it appears that OpenBSD tries to send back traffic with ESP when it
> shouldn't.
>
> I'd also like to add that the exact same setup works with with isakmpd.
>
> Best regards
> Martin
>
This is a known issue. The reason why it happens is not
strictly documented. The change to the stack was introduced
as part of the cleanup long time ago. Supposedly it's there
to support TCP MD5 signatures, but I didn't verify that yet.
There's this code in the /sys/netinet/ip_spd.c starting @ L246
that runs when there are no flows found (remember that iked
will install flows only for the from-to networks, not peers
themselves):
246 /* Actual SPD lookup. */
247 re->re_rt = rtalloc((struct sockaddr *)&re->re_dst,
248 RT_REPORT|RT_RESOLVE, re->re_tableid);
249 if (re->re_rt == NULL) {
250 /*
251 * Return whatever the socket requirements are, there are no
252 * system-wide policies.
253 */
254 *error = 0;
255 return ipsp_spd_inp(m, af, hlen, error, direction,
256 tdbp, inp, NULL);
257 }
This ipsp_spd_inp call will successfully find the SA that
specifies peers as endpoints and use it.
So why does this not happen with isakmpd? That's because
of the ipsp_aux_match that does additional filtering installed
by the isakmpd:
389 /* Check for filter matches. */
390 if (tdb->tdb_filter.sen_type) {
391 /*
392 * XXX We should really be doing a subnet-check (see
393 * whether the TDB-associated filter is a subset
394 * of the policy's. For now, an exact match will solve
395 * most problems (all this will do is make every
396 * policy get its own SAs).
397 */
398 if (memcmp(&tdb->tdb_filter, pfilter,
399 sizeof(struct sockaddr_encap)) ||
400 memcmp(&tdb->tdb_filtermask, pfiltermask,
401 sizeof(struct sockaddr_encap)))
402 return 0;
403 }
Right now it looks like a hack to me but I would very
much like to fix the problem ASAP one way or the other.
