On Sun, Oct 15, 2023 at 09:15:07AM -0500, rea...@catastrophe.net wrote: [..]
Some numbers got transposed in this message. All the devices are truly on 10.99.2.0/24 (even when 10.89.2 was in the original email) >site-obsd# ping -qc2 r1 >PING r1 (10.89.2.1): 56 data bytes ^^^^^^^^^^^^ 10.99.2.1 >^C >--- r1 ping statistics --- >2 packets transmitted, 2 packets received, 0.0% packet loss >round-trip min/avg/max/std-dev = 1.096/1.227/1.358/0.131 ms > > >All good there. Now I want to send all default traffic to/from the >hub/router through an IPsec tunnel so that the router on the far end of >site-obsd can access the rest of the network. > >Basically, default route traffic from r1 should hit site-obsd's em1 interface, >then go through the IPsec tunnel to hub, as follows: > >---- -------------------- ----------- >|r1| -> em1 |site-obsd| enc0 -> enc0 |hub| >---- -------------------- ----------- > >The iked configurations are pretty straightforward > ># SITE /etc/iked.conf >ikev2 'HUB-NET' active esp \ > from 10.99.0.0/16 to 0.0.0.0/0 \ > peer 172.16.1.1 \ > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \ > childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \ > srcid 192.168.1.1 dstid 172.16.1.1 \ > lifetime 7200 bytes 4G psk "XXXXXXXX" tag "vpn.site-hub" > ># HUB /etc/iked.conf >ikev2 'SITE-NET' passive esp \ > from 0.0.0.0/0 to 10.99.0.0/16 \ > peer 192.168.1.1 \ > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \ > childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \ > srcid 172.16.1.1 dstid 192.168.1.1 \ > lifetime 7200 bytes 4G psk "XXXXXXXX" tag "vpn.hub-site" > > >Starting iked on site-obsd brings up the tunnel: > >site-obsd# rcctl start iked >iked(ok) > >site-obsd# ipsecctl -sa | grep '172.16.1' >esp tunnel from 192.168.1.1 to 172.16.1.1 spi 0x2d97c8d2 enc aes-256-gcm >esp tunnel from 172.16.1.1 to 192.168.1.1 spi 0xcca66c6c enc aes-256-gcm > > >However, when I try and ping r1 from site-obsd, that traffic is now being >matched >by iked and being sent over the tunnel: > >site-obsd# ping -qc2 r1 >PING r1 (10.89.2.1): 56 data bytes ^^^^^^^^^^^^^^ 10.99.2.1 >^C >--- r1 ping statistics --- >2 packets transmitted, 0 packets received, 100.0% packet loss > >site-obsd# tcpdump -ni enc0 >tcpdump: listening on enc0, link-type ENC >08:53:48.275553 (authentic,confidential): SPI 0x2d97c8d2: 10.89.2.20 > >10.89.2.1: icmp: echo request (encap) >08:53:49.275583 (authentic,confidential): SPI 0x2d97c8d2: 10.89.2.20 > >10.89.2.1: icmp: echo request (encap) ^^^^^^^^^^^^^^^^^^ 10.99.2.20 and 10.99.2.1 Apologies for the mix-up.
