ipsec traffic is dropped between two machines

readme Mon, 21 Mar 2022 11:05:08 -0700

I have two openbsd machines configured to connect their respective
downstream networks over ipsec. When I try to generate traffic (ping)
from server-west's enc0 interface (10.255.255.1) to server-east's enc0
interface (10.254.255.1), traffic is sent out the corresponding
SA but is never seen on server-east's enc0 interface. Only when I
simultaneously generate traffic (ping, again) on server-east back to 
server-west do I see the echo replies from server-east on server-west.


The flows look correct in the SA table on server-west and traffic leaves on
enc0, hits vio0 on server-east as ESP traffic, but then is dropped. Again,
only when I also start a ping on server-east (10.254.255.1) to server-west
(10.255.255.1) does the original ping session see replies.

Any help is appreciated. Here are the relevant configs and outputs.

server-west:/etc/iked.conf
-------------------------
ikev2 'server-east.example.com' passive esp \
        from 10.255.255.0/24 to 10.254.255.0/24 \
        from 10.254.255.0/24 to 10.255.255.0/24 \
        from 203.0.113.50/32 to 10.254.255.0/24 \
        local 203.0.113.50 peer server-east.example.com \
        srcid server-west.example.com \
        dstid server-east.example.com \
        psk "12345" \
        tag "VPN.EAST"

server-east:/etc/iked.conf
-------------------------
ikev2 'server-west.example.com' active esp \
        from 10.254.255.0/24 to 10.255.255.0/24 \
        from 10.255.255.0/24 to 10.254.255.0/24 \
        from 100.64.1.92/32 to 10.255.255.0/24 \
        local 100.64.1.92 peer server-west.example.com \
        srcid server-east.example.com \
        dstid server-west.example.com \
        psk "12345" \
        tag "VPN.WEST"


server-west SA table:
-------------------------
FLOWS:
flow esp in from 10.254.255.0/24 to 10.255.255.0/24 peer 100.64.1 srcid 
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp in from 10.254.255.0/24 to 203.0.113.50 peer 100.64.1 srcid 
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp in from 10.255.255.0/24 to 10.254.255.0/24 peer 100.64.1 srcid 
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp out from 10.254.255.0/24 to 10.255.255.0/24 peer 100.64.1 srcid 
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp out from 10.255.255.0/24 to 10.254.255.0/24 peer 100.64.1 srcid 
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp out from 203.0.113.50 to 10.254.255.0/24 peer 100.64.1 srcid 
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require

SAD:
esp tunnel from 203.0.113.50 to 100.64.1 spi 0x54e00602 enc aes-128-gcm
esp tunnel from 100.64.1 to 203.0.113.50 spi 0xcb8f2ddb enc aes-128-gcm


server-east SA table:
-------------------------
FLOWS:
flow esp in from 10.254.255.0/24 to 10.255.255.0/24 peer 203.0.113.50 srcid 
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp in from 10.255.255.0/24 to 10.254.255.0/24 peer 203.0.113.50 srcid 
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp in from 10.255.255.0/24 to 100.64.1.92 peer 203.0.113.50 srcid 
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp out from 10.254.255.0/24 to 10.255.255.0/24 peer 203.0.113.50 srcid 
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp out from 10.255.255.0/24 to 10.254.255.0/24 peer 203.0.113.50 srcid 
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp out from 100.64.1.92 to 10.255.255.0/24 peer 203.0.113.50 srcid 
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require

SAD:
esp tunnel from 203.0.113.50 to 100.64.1.92 spi 0x54e00602 enc aes-128-gcm
esp tunnel from 100.64.1.92 to 203.0.113.50 spi 0xcb8f2ddb enc aes-128-gcm


server-west PF rule:
-------------------------
@73 pass log quick on enc0 all flags S/SA tagged VPN.EAST


server-east PF rule:
-------------------------
@58 pass log quick on enc0 all flags S/SA tagged VPN.WEST


server-west `tcpdump -ni enc0'
-------------------------
11:03:11.000828 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:12.009003 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:13.008926 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:14.008978 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:15.009014 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:16.009057 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:17.008943 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:18.008968 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:19.008965 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)
11:03:20.008948 (authentic,confidential): SPI 0x54e00602: 10.255.255.1 > 
10.254.255.1: icmp: echo request (encap)


server-east `tcpdump -ni vio0 proto 50'
-------------------------
11:03:11.023733 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 1 len 120
11:03:12.031911 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 2 len 120
11:03:13.031848 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 3 len 120
11:03:14.031945 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 4 len 120
11:03:15.031885 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 5 len 120
11:03:16.031958 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 6 len 120
11:03:17.031832 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 7 len 120
11:03:18.031858 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 8 len 120
11:03:19.031841 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 9 len 120
11:03:20.031809 203.0.113.50 > 100.64.1.92: esp spi 0x54e00602 seq 10 len 120


server-west daemon output:
-------------------------
Mar 21 10:31:06 server-west iked[31526]: ikev2_init_ike_sa: initiating 
"server-east.example.com"
Mar 21 10:31:06 server-west iked[31526]: spi=0x7d9b31c54f07f02b: send 
IKE_SA_INIT req 0 peer 100.64.1:500 local 203.0.113.50:500, 502 bytes
Mar 21 10:31:08 server-west iked[31526]: spi=0x7d9b31c54f07f02b: retransmit 1 
IKE_SA_INIT req 0 peer 100.64.1:500 local 203.0.113.50:500
Mar 21 10:31:12 server-west iked[31526]: spi=0x7d9b31c54f07f02b: retransmit 2 
IKE_SA_INIT req 0 peer 100.64.1:500 local 203.0.113.50:500
Mar 21 10:31:15 server-west iked[31526]: spi=0x9a0064bda94d708f: 
ikev2_childsa_enable: loaded SPIs: 0x999e69d8, 0x2e7aaafc (enc aes-128-gcm esn)
Mar 21 10:31:15 server-west iked[31526]: spi=0x9a0064bda94d708f: 
ikev2_childsa_enable: loaded flows: ESP-10.255.255.0/24=10.254.255.0/24(0), 
ESP-203.0.113.50/32=10.254.255.0/24(0)
Mar 21 10:31:15 server-west iked[31526]: spi=0x9a0064bda94d708f: established 
peer 100.64.1:500[FQDN/server-east.example.com] local 
203.0.113.50:500[FQDN/server-west.example.com] policy 'server-east.example.com' 
as responder (enc aes-128-gcm group curve25519 prf hmac-sha2-256)
Mar 21 10:31:20 server-west iked[31526]: spi=0x7d9b31c54f07f02b: retransmit 3 
IKE_SA_INIT req 0 peer 100.64.1:500 local 203.0.113.50:500
Mar 21 10:31:21 server-west iked[31526]: spi=0x7d9b31c54f07f02b: recv 
IKE_SA_INIT res 0 peer 100.64.1:500 local 203.0.113.50:500, 214 bytes, policy 
'server-east.example.com'
Mar 21 10:31:21 server-west iked[31526]: spi=0x7d9b31c54f07f02b: send IKE_AUTH 
req 1 peer 100.64.1:500 local 203.0.113.50:500, 345 bytes
Mar 21 10:31:21 server-west iked[31526]: spi=0x7d9b31c54f07f02b: recv IKE_AUTH 
res 1 peer 100.64.1:500 local 203.0.113.50:500, 229 bytes, policy 
'server-east.example.com'
Mar 21 10:31:21 server-west iked[31526]: spi=0x7d9b31c54f07f02b: 
ikev2_childsa_enable: loaded SPIs: 0x2df4542a, 0xba229585 (enc aes-128-gcm esn)
Mar 21 10:31:21 server-west iked[31526]: spi=0x7d9b31c54f07f02b: 
ikev2_childsa_enable: loaded flows: ESP-10.255.255.0/24=10.254.255.0/24(0), 
ESP-203.0.113.50/32=10.254.255.0/24(0)
Mar 21 10:31:21 server-west iked[31526]: spi=0x7d9b31c54f07f02b: established 
peer 100.64.1:500[FQDN/server-east.example.com] local 
203.0.113.50:500[FQDN/server-west.example.com] policy 'server-east.example.com' 
as initiator (enc aes-128-gcm group curve25519 prf hmac-sha2-256)


server-west daemon output:
-------------------------
Mar 21 10:31:15 server-east iked[39785]: ikev2_init_ike_sa: initiating 
"server-west.example.com"
Mar 21 10:31:15 server-east iked[39785]: spi=0x9a0064bda94d708f: send 
IKE_SA_INIT req 0 peer 203.0.113.50:500 local 100.64.1.92:500, 502 bytes
Mar 21 10:31:15 server-east iked[39785]: spi=0x9a0064bda94d708f: recv 
IKE_SA_INIT res 0 peer 203.0.113.50:500 local 100.64.1.92:500, 214 bytes, 
policy 'server-west.example.com'
Mar 21 10:31:15 server-east iked[39785]: spi=0x9a0064bda94d708f: send IKE_AUTH 
req 1 peer 203.0.113.50:500 local 100.64.1.92:500, 345 bytes
Mar 21 10:31:15 server-east iked[39785]: spi=0x9a0064bda94d708f: recv IKE_AUTH 
res 1 peer 203.0.113.50:500 local 100.64.1.92:500, 229 bytes, policy 
'server-west.example.com'
Mar 21 10:31:15 server-east iked[39785]: spi=0x9a0064bda94d708f: 
ikev2_childsa_enable: loaded SPIs: 0x999e69d8, 0x2e7aaafc (enc aes-128-gcm esn)
Mar 21 10:31:15 server-east iked[39785]: spi=0x9a0064bda94d708f: 
ikev2_childsa_enable: loaded flows: ESP-10.254.255.0/24=10.255.255.0/24(0), 
ESP-100.64.1.92/32=10.255.255.0/24(0)
Mar 21 10:31:15 server-east iked[39785]: spi=0x9a0064bda94d708f: established 
peer 203.0.113.50:500[FQDN/server-west.example.com] local 
100.64.1.92:500[FQDN/server-east.example.com] policy 'server-west.example.com' 
as initiator (enc aes-128-gcm group curve25519 prf hmac-sha2-256)
Mar 21 10:31:21 server-east iked[39785]: spi=0x7d9b31c54f07f02b: 
ikev2_childsa_enable: loaded SPIs: 0x2df4542a, 0xba229585 (enc aes-128-gcm esn)
Mar 21 10:31:21 server-east iked[39785]: spi=0x7d9b31c54f07f02b: 
ikev2_childsa_enable: loaded flows: ESP-10.254.255.0/24=10.255.255.0/24(0), 
ESP-100.64.1.92/32=10.255.255.0/24(0)
Mar 21 10:31:21 server-east iked[39785]: spi=0x7d9b31c54f07f02b: established 
peer 203.0.113.50:500[FQDN/server-west.example.com] local 
100.64.1.92:500[FQDN/server-east.example.com] policy 'server-west.example.com' 
as responder (enc aes-128-gcm group curve25519 prf hmac-sha2-256)

ipsec traffic is dropped between two machines

Reply via email to