Re: IPSec VPN gateway with only one interface

Mon, 24 Sep 2007 06:19:35 -0700 

For the record:
The problem was not with with the single interface, but with my misreading the documentation. The error was in specifying the tunnel twice. The working ipsec directives are of course: 

ipsec.conf on A:

ike esp from <Internal Net> to <Destination Net> peer <VPN Gateway B> 
srcid <fqdn A> dstid <fqdn B>


ipsec.conf on B:
ike passive esp tunnel from any to <Destination Net> srcid <fqdn B>


Markus Wernig wrote:

Hi all


I'v looked through what documentation I could find, but didn't find this 
case mentioned, so I assumed it would work (which it doesn't):



I have an OBSD 4.1 vpn gateway (A) with only one interface, over which 
the default route points out and over which the packets to forward 
through the tunnel arrive. The other gateway is a "regular" 2-interface 
OBSD 4.1 gateway (B).


Here's the layout:

Internal Net -- <NAT router A> -- VPN gateway A
                    &
                 Internet
                    &
                <NAT router B>
                    &
               VPN gateway B
                    &
              Destination Net


The tunnel seemingly does get created without any errors, but when 
packets pass through the tunnel, the remote gateway sends them right 
back. Also, on both gateways, 4 flows and 4 SADs get created, instead of 
2 each, as I'd expect:


# ipsecctl -s all
FLOWS:

flow esp in from <Internal Net> to <Destination Net> peer <VPN Gateway 
B> srcid <fqdn A> dstid <fqdn B> type use
flow esp out from <Destination Net> to <Internal Net> peer <VPN Gateway 
B> srcid <fqdn A> dstid <fqdn B> type require
flow esp in from <Destination Net> to <Internal Net> peer <VPN Gateway 
B> srcid <fqdn A> dstid <fqdn B> type use
flow esp out from <Internal Net> to <Destination Net> peer <VPN Gateway 
B> srcid <fqdn A> dstid <fqdn B> type require


SAD:

esp tunnel from <VPN Gateway B> to <VPN Gateway A> spi 0xADEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from <VPN Gateway B> to <VPN Gateway A> spi 0xBDEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from <VPN Gateway A> to <VPN Gateway B> spi 0xCDEADBEEF auth 
hmac-sha2-256 enc aes
esp tunnel from <VPN Gateway A> to <VPN Gateway B> spi 0xDDEADBEEF auth 
hmac-sha2-256 enc aes


Thus, contradicting routes get added to the kernel routing tables:

gateway B:

Encap:

Source             Port  Destination        Port  Proto 
SA(Address/Proto/Type/Direction)
<Internal Net>        0     <Destination Host>      0     0     NAT 
router A/esp/use/in
<Destination Host>      0     <Internal Net>        0     0     NAT 
router A/esp/require/out
<Destination Host>      0     <Internal Net>        0     0     NAT 
router A/esp/use/in
<Internal Net>        0     <Destination Host>      0     0     NAT 
router A/esp/require/out




ipsec.conf on A:

ike esp from <Internal Net> to <Destination Net> peer <VPN Gateway B> 
srcid <fqdn A>
ike esp from <Destination Net> to <Internal Net> peer <VPN Gateway B> 
srcid <fqdn A>


ipsec.conf on B:
ike passive esp tunnel from any to <Destination Net> srcid <fqdn B>
ike passive esp tunnel from <Destination Net> to any srcid <fqdn B>



A tcpdump on enc0 of both gateways shows the packets looping between the 
two gateways until ttl == 1.



Can anybody tell me if this is supposed to work at all? Does anyone see 
an obvious flaw? I'm really lost at why the gateways add flows and 
routes in both directions...



thx /markus
















    











					Reply via email to