Hello all!
I'm trying to create an IPSec (IKEv1) tunnel from my router to foreign
host. I've got FLOWS and SAD records for foreign host, everything might be
ok but esp packets go from the wrong IP address.
Configuration (sorry I need to hide my real net):
Foreign router:
Y.Y.Y.Y/24 - foreign network with a public IP addresses:
.1 - VPN peer
.2 - Application server
My router:
bge0: X.X.X.1/28 - external subnet
carp1: X.X.X.3/28 (master) - meanwhile I have no slave yet
X.X.X.4/28 - alias for IPSec
vlan12: 10.0.12.1/24 - internal subnet
# cat /etc/isakmpd/isakmpd.conf
[General]
Listen-on=X.X.X.4
Retransmits=32
Exchange-max-time=240
DPD-check-interval=30
Default-phase-1-lifetime=86400,60:86400
Default-phase-2-lifetime=86400,60:86400
# cat /etc/ipsec.conf
ike active esp from 10.0.12.12 to Y.Y.Y.2 local X.X.X.4 peer Y.Y.Y.1 \
main auth hmac-sha1 enc 3des group modp1024 lifetime 24h \
quick auth hmac-sha1 enc 3des group none lifetime 8h \
psk "verysecret"
# ipsecctl -Fd
# isakmpd -4K
# ipsecctl -f /etc/ipsec.conf
# netstat -an | grep -w 500
udp 0 0 X.X.X.4.500 *.*
# ipsecctl -sa
FLOWS:
flow esp in from Y.Y.Y.2 to 10.0.12.12 peer Y.Y.Y.1 srcid X.X.X.4/32 dstid
Y.Y.Y.1/32 type use
flow esp out from 10.0.12.12 to Y.Y.Y.2 peer Y.Y.Y.1 srcid X.X.X.4/32 dstid
Y.Y.Y.1/32 type require
SAD:
esp tunnel from Y.Y.Y.1 to X.X.X.4 spi 0x703bdd15 auth hmac-sha1 enc
3des-cbc
esp tunnel from X.X.X.4 to Y.Y.Y.1 spi 0x9163f209 auth hmac-sha1 enc
3des-cbc
Now I try to telnet from internal subnetwork:
node4# telnet -b 10.0.12.12 Y.Y.Y.2 12000
Trying Y.Y.Y.2...
^C
Now checkout router:
# tcpdump -ni enc0 host Y.Y.Y.1
tcpdump: listening on enc0, link-type ENC
17:19:25.664514 (authentic,confidential): SPI 0x9163f209: 10.0.12.12.41013
> Y.Y.Y.2.12000: S 3062295815:3062295815(0) win 29200 <mss
1440,sackOK,timestamp 2280702669 0,nop,wscale 7> [tos 0x10] (encap)
17:19:26.725920 (authentic,confidential): SPI 0x9163f209: 10.0.12.12.41013
> Y.Y.Y.2.12000: S 3062295815:3062295815(0) win 29200 <mss
1440,sackOK,timestamp 2280703730 0,nop,wscale 7> [tos 0x10] (encap)
And things goes crazy if you look at the source address of esp packets:
# tcpdump -ni bge0 host Y.Y.Y.1
tcpdump: listening on bge0, link-type EN10MB
17:19:23.398060 Y.Y.Y.1.500 > X.X.X.4.500: isakmp v1.0 exchange INFO
encrypted
cookie: 28259647556726a3->2772360ab1b13794 msgid: f4395193 len: 92
17:19:25.664623 X.X.X.3 > Y.Y.Y.1: esp spi 0x9163f209 seq 192 len 92 [tos
0x10]
17:19:26.725975 X.X.X.3 > Y.Y.Y.1: esp spi 0x9163f209 seq 193 len 92 [tos
0x10]
17:19:28.414920 X.X.X.4.500 > Y.Y.Y.1.500: isakmp v1.0 exchange INFO
encrypted
cookie: 28259647556726a3->2772360ab1b13794 msgid: 167f5770 len: 84
17:19:28.418532 Y.Y.Y.1.500 > X.X.X.4.500: isakmp v1.0 exchange INFO
encrypted
cookie: 28259647556726a3->2772360ab1b13794 msgid: 00e63d21 len: 92
What I forgot? :( Why does OpenBSD (I guess iksampd) choose the first
address of the CARP interface, not that I specified for VPN only in case of
ESP packets? I must admit, that I also have a second VPN connection where
FLOW works well with tunnel address from the private destination network
and ESP packets go from right address X.X.X.4 on external interface. I
think this problem somehow occurs due to a public address which was
specified by foreign service provider that I have to use in the tunnel.
My packet filter ruleset:
set block-policy drop
set skip on { lo enc0 }
...
# IPSec
pass out quick on egress proto udp from X.X.X.4 to <ipsec> port { isakmp,
ipsec-nat-t }
pass out quick on egress proto esp from X.X.X.4 to <ipsec>
pass in quick on egress proto udp from <ipsec> to X.X.X.4 port { isakmp,
ipsec-nat-t }
pass in quick on egress proto esp from <ipsec> to X.X.X.4
Thanks for any help.
Regards,
Den
