Hi, I am trying to build IP-IP flows with the new ipsecctl tool. I have two OpenBSD 4.0 snapshots running in different vmware virtual machines, attached to the same network.
Box 1 has the following configuration: fw_1 = "10.0.0.1/32" fw_2 = "10.0.0.2/32" flow ipip from $fw_1 to $fw_2 ipip from $fw_1 to $fw_2 spi 0x1111:0x1110 And Box 2: fw_1 = "10.0.0.1/32" fw_2 = "10.0.0.2/32" flow ipip from $fw_2 to $fw_1 ipip from $fw_2 to $fw_1 spi 0x1110:0x1111 When I ping from either machine to the other having these flows/associations in place, I can see the following on the receiving end (using tcpdump): In Box 1 # ping 10.0.0.2 In Box 2 # tcpdump -ni pcn0 tcpdump: listening on pcn0, link-type EN10MB 17:44:01.570028 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) 17:44:02.610017 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) 17:44:03.590016 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) 17:44:04.590479 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) 17:44:05.610017 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) And the reply is never sent from box 2. I've tried to set net.inet.ipip.allow to 1, but it's the same story. pf is disabled. I've also tried tcpdump on the enc0 interface (after bringing it up), but I don't see anything there either. I was succesful in setting up ipsecctl to use esp flows though. The thing is that I didn't find any examples using ipip with ipsecctl. Any clues? Thanks, Martmn.
