I had the same problem! I've not tried it much but i have almost the
same configuration. I couldn't find much information about setting ipip
on the new ipsec.conf either.
Alejandro.
Martmn Coco wrote:
Hi,
I am trying to build IP-IP flows with the new ipsecctl tool. I have two
OpenBSD 4.0 snapshots running in different vmware virtual machines,
attached to the same network.
Box 1 has the following configuration:
fw_1 = "10.0.0.1/32"
fw_2 = "10.0.0.2/32"
flow ipip from $fw_1 to $fw_2
ipip from $fw_1 to $fw_2 spi 0x1111:0x1110
And Box 2:
fw_1 = "10.0.0.1/32"
fw_2 = "10.0.0.2/32"
flow ipip from $fw_2 to $fw_1
ipip from $fw_2 to $fw_1 spi 0x1110:0x1111
When I ping from either machine to the other having these
flows/associations in place, I can see the following on the receiving
end (using tcpdump):
In Box 1
# ping 10.0.0.2
In Box 2
# tcpdump -ni pcn0
tcpdump: listening on pcn0, link-type EN10MB
17:44:01.570028 10.0.0.1 > 10.0.0.2: icmp: echo request (encap)
17:44:02.610017 10.0.0.1 > 10.0.0.2: icmp: echo request (encap)
17:44:03.590016 10.0.0.1 > 10.0.0.2: icmp: echo request (encap)
17:44:04.590479 10.0.0.1 > 10.0.0.2: icmp: echo request (encap)
17:44:05.610017 10.0.0.1 > 10.0.0.2: icmp: echo request (encap)
And the reply is never sent from box 2. I've tried to set
net.inet.ipip.allow to 1, but it's the same story. pf is disabled.
I've also tried tcpdump on the enc0 interface (after bringing it up),
but I don't see anything there either.
I was succesful in setting up ipsecctl to use esp flows though. The
thing is that I didn't find any examples using ipip with ipsecctl.
Any clues?
Thanks,
Martmn.
__________ NOD32 1.1831 (20061024) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
