Re: OSPFD over IPSEC

Mon, 14 Nov 2016 05:33:53 -0800 

On 2016-11-14 12:48, Comète wrote:

Hi,

I'm trying to run OSPFD over IPSEC with OpenBSD 6.0 stable, so I first
start looking at http://undeadly.org/cgi?action=article&sid=20131105075303 Now that etherip has it's own interface in 6.0, I tried to replace gif with 
etherip like this:

On one host:
------------

-=>> cat /etc/hostname.bridge0
add etherip0 add vether0
up

-=>> cat /etc/hostname.vether0
inet 10.60.10.2
255.255.255.0 NONE up

-=>> cat /etc/hostname.etherip0
tunnel 1.2.3.4 4.3.2.1
up

-=>> doas cat /etc/ipsec.conf
ike active esp proto etherip from 1.2.3.4 to
4.3.2.1 psk "mypassword"


-=>> doas ipsecctl -sa
FLOWS:
flow esp in proto
etherip from 4.3.2.1 to 1.2.3.4 peer 4.3.2.1 srcid 1.2.3.4/32 dstid 4.3.2.1/32 
type use
flow esp out proto etherip from 1.2.3.4 to 4.3.2.1 peer 4.3.2.1 srcid
1.2.3.4/32 dstid 4.3.2.1/32 type require

SAD:
esp tunnel from 4.3.2.1 to
1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes
esp tunnel from 1.2.3.4 to
4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes


On the other host:
------------------

-=>> cat /etc/hostname.bridge0
add etherip0 add vether0
up
-=>> cat /etc/hostname.vether0
inet 10.60.10.1 255.255.255.0 NONE up

-=>> cat
/etc/hostname.etherip0
tunnel 4.3.2.1 1.2.3.4 up

-=>> doas cat
/etc/ipsec.conf
ike passive esp proto etherip from 4.3.2.1 to 1.2.3.4 psk
"mypassword"


-=>> doas ipsecctl -sa

FLOWS:
flow esp in proto etherip from
1.2.3.4 to 4.3.2.1 peer 1.2.3.4 srcid 4.3.2.1/32 dstid 1.2.3.4/32 type use 
flow esp out proto etherip from 4.3.2.1 to 1.2.3.4 peer 1.2.3.4 srcid
4.3.2.1/32 dstid 1.2.3.4/32 type require

SAD:
esp tunnel from 4.3.2.1 to
1.2.3.4 spi 0x3d8e9212 auth hmac-sha2-256 enc aes
esp tunnel from 1.2.3.4 to
4.3.2.1 spi 0x900fc2c5 auth hmac-sha2-256 enc aes


I forgot to mention that i
didn't set net.inet.etherip.allow=1 and let it set to 0, as said in "etherip" 
man page, because I use IPSEC.

As you can see the ipsec VPN is well
established, but my problem is that I can't ping 10.60.10.1 from 10.60.10.2 
and 10.60.10.2 from 10.60.10.1.

On each vether interface, tcpdump -nettti
shows me that nothing is going out of them.

Any idea ?
Can you show pf.conf? Are there any blocks if you check on pflog0 with tcpdump?
But why do you want to have Ethernet frames tunneled? If you use gif interfaces and make ospfd beeing active on it you save a few bits. That way you can make the MTU bigger. https://cway.cisco.com/tools/ipsec-overhead-calc/ can give you 
and idea how big your MTU can be (needs an account but is free).
Be careful when configuring gif interfaces. ospfd only recognizes that it is a point-to-point interface when you configure the netmask as 255.255.255.255.

Reply via email to