Hello
We've discovered a very weird behavior in OpenBSD IPsec.
We run isakmpd -K and use ipsecctl with ipsec.conf to set up our IPsec
tunnels. When our peer adds a new network to an existing configuration on
his router, our OpenBSD box accepts the network without our intervention,
SAs and flows are created and started automatically.
I've tested this with fresh installations of OpenBSD 6.4 amd64. The test
VMs are called obsd1 and obsd2. They are directly connected to each other
on network 172.16.50.0/24.
After basic installation, I configured IP addresses, ipsec.conf and I
started isakmpd like this:
obsd1# ifconfig em0 | grep inet
inet 172.16.50.51 netmask 0xffffffe0 broadcast 172.16.50.63
obsd1# ifconfig lo0 | grep "inet "
inet 127.0.0.1 netmask 0xff000000
inet 192.168.10.1 netmask 0xffffff00
inet 192.168.100.1 netmask 0xffffff00
obsd1# isakmpd -Kv -f /var/run/isakmpd.fifo
obsd1# cat /etc/ipsec.conf
ike esp from { 192.168.10.0/24 } \
to { 192.168.20.0/24 } \
local 172.16.50.51 peer 172.16.50.48 \
psk "secret_pass"
obsd1# ipsecctl -f /etc/ipsec.conf
obsd2# ifconfig em0 | grep inet
inet 172.16.50.48 netmask 0xffffffe0 broadcast 172.16.50.63
obsd2# ifconfig lo0 | grep "inet "
inet 127.0.0.1 netmask 0xff000000
inet 192.168.20.1 netmask 0xffffff00
obsd2# isakmpd -Kv -f /var/run/isakmpd.fifo
obsd2# cat /etc/ipsec.conf
ike esp from { 192.168.20.0/24 } \
to { 192.168.10.0/24 } \
local 172.16.50.48 peer 172.16.50.51 \
psk "secret_pass"
obsd2# ipsecctl -f /etc/ipsec.conf
The above works as expected. I can do:
obsd2# ping -I 192.168.20.1 -c 1 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=255 time=1.102 ms
--- 192.168.10.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.102/1.102/1.102/0.000 ms
Now to the point. I modified obsd1 (and I've NOT modified obsd2). I added
the network 192.168.100.0/24 to ipsec.conf:
obsd1# cat /etc/ipsec.conf
ike esp from { 192.168.10.0/24 192.168.100.0/24 } \
to { 192.168.20.0/24 } \
local 172.16.50.51 peer 172.16.50.48 \
psk "secret_pass"
obsd1# ipsecctl -f /etc/ipsec.conf
And it works (as not expected by me):
obsd2# ipsecctl -sf
flow esp in from 192.168.10.0/24 to 192.168.20.0/24 peer 172.16.50.51 srcid
172.16.50.48/32 dstid 172.16.50.51/32 type use
flow esp in from 192.168.100.0/24 to 192.168.20.0/24 peer 172.16.50.51
srcid 172.16.50.48/32 dstid 172.16.50.51/32 type use
flow esp out from 192.168.20.0/24 to 192.168.10.0/24 peer 172.16.50.51
srcid 172.16.50.48/32 dstid 172.16.50.51/32 type require
flow esp out from 192.168.20.0/24 to 192.168.100.0/24 peer 172.16.50.51
srcid 172.16.50.48/32 dstid 172.16.50.51/32 type require
obsd2# ping -I 192.168.20.1 -c 1 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=255 time=1.013 ms
--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.013/1.013/1.013/0.000 ms
We do protect our network with firewalls so our peers cannot use this to
introduce new networks, but a different thing happened today.
We'd already had the network 192.168.100.32/27 in our ipsec.conf with peer
A and the tunnel to peer A was up and running.
Peer B added the network 192.168.100.0/24 to IPsec configuration on their
side and SAs and flows were automatically created for the new network on
our router. This would be a bigger issue if it happened the opposite way
(peer B using a larger netmask).
Our PF configuration doesn't help to mitigate the problem as it doesn't
know from/to which peer does the traffic on enc0 flow.
The problem showed itself up on OpenBSD 5.5. The demo described above was
done on OpenBSD 6.4, as I've already mentioned.
Does anybody see any misconfiguration or misunderstanding on our side? Or
is this a bug (IMHO a security bug) in OpenBSD IPsec implementation?
