On 11.3.2024. 10:22, Rafał Ramocki wrote: > Hello, > > > Hello, I'm not sure if I'm doing something wrong or if is it a common > problem. I have iked.conf set up in the following way: > > ikev2 active from 10.2.15.0/24 to 172.31.0.0/20 from 10.2.15.0/24 to > 172.31.16.0/20 from 10.2.15.0/24 to 172.31.32.0/20 from 169.254.74.238 to > 169.254.74.237 local X.X.X.X peer 16.170.59.81 ikesa auth hmac-sha2-256 enc > aes-256 prf hmac-sha2-256 group modp4096 childsa auth hmac-sha2-256 enc > aes-256 group modp4096 srcid X.X.X.X ikelifetime 28800 lifetime 3600 psk > '_REMOVED_' > > ikev2 active from 10.2.15.0/24 to 172.31.0.0/20 from 10.2.15.0/24 to > 172.31.16.0/20 from 10.2.15.0/24 to 172.31.32.0/20 from 169.254.21.38 to > 169.254.21.37 local X.X.X.X peer 51.21.86.8 ikesa auth hmac-sha2-256 enc > aes-256 prf hmac-sha2-256 group modp4096 childsa auth hmac-sha2-256 enc > aes-256 group modp4096 srcid X.X.X.X ikelifetime 28800 lifetime 3600 psk > '_REMOVED_' > > > Both tunnels are up from AWS perspective. Both tunnels have SAD's: > > # ipsecctl -ss > esp tunnel from 51.21.86.8 to X.X.X.X spi 0x02c0ae3a auth hmac-sha2-256 enc > aes-256 > esp tunnel from 16.170.59.81 to X.X.X.X spi 0x09ef0398 auth hmac-sha2-256 enc > aes-256 > esp tunnel from 16.170.59.81 to X.X.X.X spi 0x324ceca5 auth hmac-sha2-256 enc > aes-256 > esp tunnel from 51.21.86.8 to X.X.X.X spi 0xa9672a52 auth hmac-sha2-256 enc > aes-256 > esp tunnel from X.X.X.X to 16.170.59.81 spi 0xc08c4de5 auth hmac-sha2-256 enc > aes-256 > esp tunnel from X.X.X.X to 16.170.59.81 spi 0xc2e0efe9 auth hmac-sha2-256 enc > aes-256 > esp tunnel from X.X.X.X to 51.21.86.8 spi 0xc3e8a0e0 auth hmac-sha2-256 enc > aes-256 > esp tunnel from X.X.X.X to 51.21.86.8 spi 0xccb3250e auth hmac-sha2-256 enc > aes-256 > > > But flows with overlapped from-to pair are set only for one of the tunnels: > > # ipsecctl -sf > flow esp in from 169.254.21.37 to 169.254.21.38 peer 51.21.86.8 srcid > IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require > flow esp in from 169.254.74.237 to 169.254.74.238 peer 16.170.59.81 srcid > IPV4/X.X.X.X dstid IPV4/16.170.59.81 type require > flow esp in from 172.31.0.0/20 to 10.2.15.0/24 peer 51.21.86.8 srcid > IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require > flow esp in from 172.31.16.0/20 to 10.2.15.0/24 peer 51.21.86.8 srcid > IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require > flow esp in from 172.31.32.0/20 to 10.2.15.0/24 peer 51.21.86.8 srcid > IPV4/X.X.X>X dstid IPV4/51.21.86.8 type require > > flow esp out from 10.2.15.0/24 to 172.31.0.0/20 peer 51.21.86.8 srcid > IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require > flow esp out from 10.2.15.0/24 to 172.31.16.0/20 peer 51.21.86.8 srcid > IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require > flow esp out from 10.2.15.0/24 to 172.31.32.0/20 peer 51.21.86.8 srcid > IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require > flow esp out from 169.254.21.38 to 169.254.21.37 peer 51.21.86.8 srcid > IPV4/X.X.X.X dstid IPV4/51.21.86.8 type require > flow esp out from 169.254.74.238 to 169.254.74.237 peer 16.170.59.81 srcid > IPV4/X.X.X.X dstid IPV4/16.170.59.81 type require > > I think IKED may detect that flow is already set for this from-to pair and is > not setting up additional one but it should take also remote endpoint into > account as those are different. Having no flow set up is resulting in that, > when some data are received on that second tunnel that have no flows set, > those data are discarded and not forwarded any more propably due to RPF > policy. > > I tried to figure out how those are set up by code analysys but I think it > may be beyond my capabilitys as I'm only a sysadmin not a developer. > > OpenBSD version: 7.3 > > best regards > Rafal Ramocki >
Hi, I think that you can't have two same ipsec tunnels with policy based vpns in OpenBSD, but you can do something like this https://www.linuxquestions.org/questions/blog/rocket357-328529/openbsd-etc-ipsec-conf-for-aws-vpc-vpn-36423/ Good thing is that OpenBSD from 7.4 supports route based ipsec tunnels https://www.undeadly.org/cgi?action=article;sid=20230704094238
