IPSEC encodes traffic to local IP?

Sat, 20 Feb 2010 12:04:37 -0800 

Hi,
I'm setting up an ipsec connection between two hosts and I noticed that as soon as ipsec is active, any TCP and UDP traffic (but not ICMP??) to the local IP gets redirected to the enc0 interface and shows up as encoded traffic originating from the other(!) endpoint. 
It doesn't matter if the other endpoint actually exists / is online.
(If the other host is online, the traffic *between them* works as expected = encrypted) 


My expectation (from the flows in ipsec.conf) would be that traffic for 
the local IP should be ignored by ipsec and should show up as unencoded 
traffic on lo0. Only traffic with the exact "from" AND "to" should be 
handled by ipsec.


Any ideas what I'm doing wrong here?



Test setup:
*) fresh install, i386/release 4.6
        pc50_root# uname -a
        OpenBSD pc50.abc.test 4.6 GENERIC#58 i386
*) pf is disabled
*) host: "pc50" / 10.10.1.50

*) remote host 10.10.1.99 doesn't exist (I've tested it; same results if 
it existed)




1) no ipsec

* first issue a "ping 10.10.1.50", then "telnet 10.10.1.50 80" from 
local host



pc50_root# tcpdump -nettti lo0 





tcpdump: listening on lo0, link-type LOOP
Feb 20 20:16:50.770037 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 20 20:16:50.770421 10.10.1.50 > 10.10.1.50: icmp: echo reply
Feb 20 20:16:51.778162 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 20 20:16:51.778268 10.10.1.50 > 10.10.1.50: icmp: echo reply

Feb 20 20:16:57.686028 10.10.1.50.26068 > 10.10.1.50.80: S 
310361823:310361823(0) win 16384 <mss 33160,nop,nop,sackOK,nop,wscale 
0,nop,nop,timestamp 1189411092 0> (DF) [tos 0x10]
Feb 20 20:16:57.686762 10.10.1.50.80 > 10.10.1.50.26068: R 0:0(0) ack 
310361824 win 0 (DF)


*) as expected, all traffic on lo0, nothing on another interface



2) ipsec enabled

*) ipsec.conf
flow esp from 10.10.1.50  to 10.10.1.99 peer 10.10.1.99
esp from 10.10.1.50 to 10.10.1.99 spi 0xabd9da39:0xc9dbb83d \

 authkey 
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 
\
 enckey 
0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d



*) start ipsec
pc50_root# isakmpd -K -4 -a
pc50_root# ipsecctl -f /etc/ipsec.conf

pc50_root# ipsecctl -s all 





FLOWS:
flow esp in from 10.10.1.99 to 10.10.1.50 peer 10.10.1.99 type require
flow esp out from 10.10.1.50 to 10.10.1.99 peer 10.10.1.99 type require

SAD:

esp tunnel from 10.10.1.50 to 10.10.1.99 spi 0xabd9da39 auth 
hmac-sha2-256 enc aes
esp tunnel from 10.10.1.99 to 10.10.1.50 spi 0xc9dbb83d auth 
hmac-sha2-256 enc aes



* again "ping 10.10.1.50", then "telnet 10.10.1.50 80"


pc50_root# tcpdump -nettti lo0 





tcpdump: listening on lo0, link-type LOOP
Feb 20 20:33:46.979267 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 20 20:33:46.979968 10.10.1.50 > 10.10.1.50: icmp: echo reply
Feb 20 20:33:47.996163 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 20 20:33:47.996293 10.10.1.50 > 10.10.1.50: icmp: echo reply

Feb 20 20:33:51.332969 esp 10.10.1.99 > 10.10.1.50 spi 0xc9dbb83d seq 1 
len 116 (DF) [tos 0x10]



pc50_root# tcpdump -nettti enc0 





tcpdump: listening on enc0, link-type ENC

Feb 20 20:33:51.330716 (authentic,confidential): SPI 0xc9dbb83d: 
10.10.1.50.28112 > 10.10.1.50.80: S 2213859062:2213859062(0) win 16384 
<mss 33160,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1093745733 0> 
(DF) [tos 0x10] (encap)
Feb 20 20:33:51.334430 (authentic,confidential): SPI 0xc9dbb83d: 
10.10.1.50.28112 > 10.10.1.50.80: S 2213859062:2213859062(0) win 16384 
<mss 33160,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1093745733 0> 
(DF) [tos 0x10] (encap)



*) as you can see, the TCP traffic arrives from .99 as ipsec traffic and 
inside is the original request



3) ipsec still enabled
*) "ping 127.0.0.1" and "telnet 127.0.0.1 80"

pc50_root# tcpdump -nettti lo0
tcpdump: listening on lo0, link-type LOOP
Feb 20 20:42:35.720121 127.0.0.1 > 127.0.0.1: icmp: echo request
Feb 20 20:42:35.720274 127.0.0.1 > 127.0.0.1: icmp: echo reply
Feb 20 20:42:36.730615 127.0.0.1 > 127.0.0.1: icmp: echo request
Feb 20 20:42:36.731330 127.0.0.1 > 127.0.0.1: icmp: echo reply

Feb 20 20:42:48.990875 127.0.0.1.29884 > 127.0.0.1.80: S 
3653836207:3653836207(0) win 16384 <mss 33160,nop,nop,sackOK,nop,wscale 
0,nop,nop,timestamp 4200983611 0> (DF) [tos 0x10]
Feb 20 20:42:48.991369 127.0.0.1.80 > 127.0.0.1.29884: R 0:0(0) ack 
3653836208 win 0 (DF)


*) traffic to 127.0.0.1 works as expected, no traffic on enc0


kind regards,
Robert























					Reply via email to