On 5 November 2014 13:28, Mike Belopuhov <m...@belopuhov.com> wrote: > On 4 November 2014 17:06, Martin Larsson <martin.larss...@gmail.com> wrote: >> Hello! >> >> I've setup a tunnel between OpenBSD 5.6 using iked and an openwrt router >> running strongswan. >> The tunnel works great with ping and other traffic but traffic between the >> two external ip's dies. >> >> This is a site-to-site connection and nothing fancy. >> >> iked.conf on OpenBSD. >> ikev2 esp from $10.11.12.0/24 to $194.168.4.0/24 peer $tcgw srcid sippan.se >> >> # ipsecctl -sa >> FLOWS: >> flow esp in from 192.168.4.0/24 to 10.11.12.0/24 peer 82.17.12.21 srcid >> FQDN/sippan.se dstid FQDN/sswan.sippan.se type use >> flow esp out from 10.11.12.0/24 to 192.168.4.0/24 peer 82.17.12.21 srcid >> FQDN/sippan.se dstid FQDN/sswan.sippan.se type require >> flow esp out from ::/0 to ::/0 type deny >> >> SAD: >> esp tunnel from 82.17.12.21 to 130.51.23.4 spi 0x67483925 auth hmac-sha1 >> enc aes >> esp tunnel from 130.51.23.4 to 82.17.12.21 spi 0xcf1f39d1 auth hmac-sha1 >> enc aes >> >> # netstat -nr >> Routing tables >> >> Internet: >> Destination Gateway Flags Refs Use Mtu Prio >> Iface >> default 130.51.23.4 UGS 10 30430256 - 8 em0 >> 10/8 link#5 UC 1 0 - 4 >> vether0 >> 10.11.12.13 fe:e1:ba:d0:d6:1c UHLl 0 1 - 1 lo0 >> 10.255.255.255 link#5 UHLc 3 570 - 4 >> vether0 >> 82.17.12.21 130.51.23.4 UGHD 0 30430251 - L 56 em0 >> 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 >> 127.0.0.1 127.0.0.1 UH 1 6 32768 4 lo0 >> 194.48.213.128/27 link#1 UC 1 0 - 4 em0 >> 130.51.23.4 00:00:cd:19:95:16 UHLc 2 0 - 4 em0 >> 130.51.23.4 00:02:b3:aa:cc:c3 HLl 0 0 - 1 lo0 >> 224/4 127.0.0.1 URS 0 0 32768 8 lo0 >> >> Internet6: >> -removed, dont use it- >> >> Encap: >> Source Port Destination Port Proto >> SA(Address/Proto/Type/Direction) >> 192.168.4/24 0 10.11.12/24 0 0 >> 82.17.12.21/esp/use/in >> 10.11.12/24 0 192.168.4/24 0 0 >> 82.17.12.21/esp/require/out >> default 0 default >> 0 0 none/esp/deny/out >> >> # tcpdump on openbsd while trying to connect with ssh to the external ip of >> the OpenBSD host from the exernal ip of the other end. >> >> # tcpdump host 82.17.12.21 >> tcpdump: listening on em0, link-type EN10MB >> tcpdump: WARNING: compensating for unaligned libpcap packets >> 16:49:55.539903 egget.priv.lamest.se.54158 > loller.sippan.se.ssh: S >> 2729317717:2729317717(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> >> (DF) >> 16:49:55.539932 loller.sippan.se.ssh > egget.priv.lamest.se.54158: S >> 2317435827:2317435827(0) ack 2729317718 win 16384 <mss >> 1240,nop,nop,sackOK,nop,wscale 3> >> 16:49:55.545936 egget.priv.lamest.se.54158 > loller.sippan.se.ssh: . ack 1 >> win 256 (DF) >> 16:49:55.553927 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1 >> seq 190 len 100 >> 16:50:01.553883 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1 >> seq 191 len 100 >> 16:50:05.977468 esp egget.priv.lamest.se > loller.sippan.se spi 0x67483925 >> seq 127 len 84 (DF) >> 16:50:05.977519 esp loller.sippan.se > egget.priv.lamest.se spi 0xcf1f39d1 >> seq 192 len 84 >>
There's another interesting behavior evident in this trace: first few (usually 1 or 2) packets (SYN-ACK from loller here) are not encrypted. That's because we update our PCB on input due to the presence of a matching SA in a very agile manner: first it doesn't really match, but we make sure next time it does (funny logic in the ipsp_spd_inp that coupled with the default IPsec policy).