----- Original Message ----- > From: "Girish Venkatachalam" <girishvenkatacha...@gmail.com> > To: "OpenBSD general usage list" <misc@openbsd.org> > Sent: Wednesday, April 4, 2012 8:23:27 PM > Subject: Manual IPsec setup with ipsec.conf > > Dear all, > > Such a silly thing is not documented anywhere, no vpn(8) man page and > not on the Internet. > > I am forced to send this mail though it is embarrassing having worked > on the > internals of manual IPsec keying back in 2004. But well here goes. > > on peer A: > > remoteip="173.167.82.52" > remotenet="10.1.23.0/24" > > flow esp from 59.99.242.167 to $remoteip > flow esp from 192.168.1.0/24 to $remotenet peer $remoteip > esp from 59.99.242.167 to $remoteip spi 0xdeadbeef:0xbeefdead auth > hmac-sha1 \ > authkey > 0xeda8f06463b2d0fed008ccc474216dba8c463a7c:0x91c763de940ce1745215c84b7 > 535269acaef516d > \ > enckey > 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d > > on peer B: > > localnet="192.168.0.0/16" > remoteip="59.99.242.167" > > flow esp from 173.167.82.52 to 59.99.242.167 > flow esp from 10.1.23.0/24 to 192.168.1.0/24 peer $remoteip > esp from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead:0xdeadbeef > auth > hmac-sha1 \ > authkey > 0x91c763de940ce1745215c84b7535269acaef516d:0xeda8f06463b2d0fed008ccc47 > 4216dba8c463a7c > \ > enckey > 0xf7795f6bdd697a43a4d28dcf1b79062d:0xb341aa065c3850edd6a61e150d6a5fd3 > > > It is a test. I don't care about the keys and IP addresses. > > pf(4) is disabled both sides and here is the output of > > #ipsecctl -sa on peer B > > # ipsecctl -sa -v > FLOWS: > flow esp in from 192.168.1.0/24 to 10.1.23.0/24 peer 59.99.242.167 > type > require > flow esp out from 10.1.23.0/24 to 192.168.1.0/24 peer 59.99.242.167 > type > require > flow esp in from 59.99.242.167 to 173.167.82.52 peer 59.99.242.167 > type > require > flow esp out from 173.167.82.52 to 59.99.242.167 peer 59.99.242.167 > type > require > > SAD: > esp tunnel from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead auth > hmac-sha1 enc aes > sa: spi 0xbeefdead auth hmac-sha1 enc aes > state mature replay 0 flags 4 > lifetime_cur: alloc 0 bytes 0 add 1333585323 first 0 > address_src: 173.167.82.52 > address_dst: 59.99.242.167 > esp tunnel from 59.99.242.167 to 173.167.82.52 spi 0xdeadbeef auth > hmac-sha1 enc aes > sa: spi 0xdeadbeef auth hmac-sha1 enc aes > state mature replay 0 flags 4 > lifetime_cur: alloc 0 bytes 0 add 1333585323 first 0 > address_src: 59.99.242.167 > address_dst: 173.167.82.52 > > And peer A: > > # ipsecctl -sa -v > FLOWS: > flow esp in from 10.1.23.0/24 to 192.168.1.0/24 peer 173.167.82.52 > type > require > flow esp out from 192.168.1.0/24 to 10.1.23.0/24 peer 173.167.82.52 > type > require > flow esp in from 173.167.82.52 to 59.99.242.167 peer 173.167.82.52 > type > require > flow esp out from 59.99.242.167 to 173.167.82.52 peer 173.167.82.52 > type > require > > SAD: > esp tunnel from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead auth > hmac-sha1 enc aes > sa: spi 0xbeefdead auth hmac-sha1 enc aes > state mature replay 0 flags 4 > lifetime_cur: alloc 0 bytes 0 add 1333585275 first 0 > address_src: 173.167.82.52 > address_dst: 59.99.242.167 > esp tunnel from 59.99.242.167 to 173.167.82.52 spi 0xdeadbeef auth > hmac-sha1 enc aes > sa: spi 0xdeadbeef auth hmac-sha1 enc aes > state mature replay 0 flags 4 > lifetime_cur: alloc 0 bytes 196 add 1333585275 first > 1333585277 > address_src: 59.99.242.167 > address_dst: 173.167.82.52 > lifetime_lastuse: alloc 0 bytes 0 add 0 first 1333585277 > > I cannot ping between 192.168.1.50 and 10.1.23.2 > > What is going on? > > -Girish > > -- > G3 Tech > Networking appliance company > web: http://g3tech.in mail: gir...@g3tech.in
two very basic questions, both of which have bitten me at some point: 1) is ip forwarding enabled on both boxes? 2) do you have the appropriate routes setup on both sides?
