> On Dec 3, 2018, at 12:18 PM, Rachel Roch <rr...@tutanota.de> wrote: > > I hope someone here can shed light on an infuriating problem I’ve spent a > week trying to resolve without luck. > > The problem concerns an IKED site-to-site VPN on OpenBSD 6.3 (both endpoints > fully syspatched). > > The VPN worked absolutely perfectly until it suddenly started behaving > strangely. Seriously, I’m talking about “pass any traffic you can think of”, > then I go on holiday for a week (nobody else has physical or remote access to > the machines, and I did not connect on holiday), then this behaviour starts. > > Basically the behaviour I am seeing is that anything that uses TLS is no > longer able to connect (or at least gets no further than trying to do a TLS > handshake, e.g. Firefox hangs showing "performing TLS handshake..." at the > bottom of the screen), so that means: > > - HTTPS websites > - VoIP > - IMAP over TLS > - RDP over TLS > > Are all broken on the VPN, but all TLS-based services continue to work > perfectly off-site (or when the site-to-site VPN is bypassed with a > third-party VPN). This impacts multiple servers and multiple clients, so its > not just one server or one desktop PC, its anything that tries to talk TLS > over that VPN ! > > > However: > - Ping (including large packet size, e.g. “-s 1600”) > - SSH > - DNS > - Anything else you care to name that doesn’t use TLS > > All continue to work perfectly over the VPN. > > My PF rules (which cannot possibly be the problem, because they have not > changed a single bit between “working” and “not working) don’t even > differentiate between traffic types, so it can’t be some sudden PF oddity : > > pass in on enc from <remote_vpnets> to <local_vpnets> keep state (if-bound) > $midPriority > pass out on enc from <ocal_vpnets> to <remote_vpnets> keep state (if-bound) > $midPriority > > Similarly, my IKED config is also completely unchanged between "working" and > "not working", and ipsecctl -sa continues to show everything correctly > established > > ikev2 "to remote" active esp from $a_net to $b_net\ > local $local_ext peer $remote_ext \ > ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group > curve25519 \ > childsa enc chacha20-poly1305 group curve25519 \ > srcid $local_ext dstid $remote_ext \ > ikelifetime 4h lifetime 3h bytes 512M \ > ecdsa384 > > > This whole thing is just driving me crazy ! >
Rachel, As a first step, try using s_client to connect to a TLS service and see what comes back: $ openssl s_client -connect <hostname>:<port> -showcerts There are more possible options on s_client to debug more deeply but this is a good start. --Paul
smime.p7s
Description: S/MIME cryptographic signature
