Folks,
I'm running 4.8-stable on one end and 4.5-stable at the other of a
site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are
working before upgrading the 4.5-stable end.) The tunnel is configured using
ipsec.conf and ipsecctl, and the relevant portions of the configs are:
4.8 side
----------
ike esp from $internal_subnet \
to $outpost_subnet \
local $fios_tunnel_host \
peer $outpost_tunnel_host
4.5 side
----------
ike passive esp from $local_network to $remote_network peer
$remote_gateway_ip
The flows and SAs that come up are:
4.8 side
----------
FLOWS:
flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid
71.163.154.173/32 dstid 64.237.99.79/32 type use
flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid
71.163.154.173/32 dstid 64.237.99.79/32 type require
SAD:
esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
hmac-sha2-256 enc aes
esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0xffff2d0b auth
hmac-sha2-256 enc aes
4.5 side
----------
FLOWS:
flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173
srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use
flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173
srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require
SAD:
esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth
hmac-sha2-256 enc aes
esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0xffff2d0b auth
hmac-sha2-256 enc aes
Relevant pf rules are:
4.8 side
----------
pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port
= isakmp keep state
pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep
state
pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port
= isakmp keep state
pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep
state
4.5 side
----------
pass log quick on enc0
pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port
500
pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port
500
pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port
4500
pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port
4500
pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79
pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173
The security associations come up just fine, and I can see packets going into
the tunnel at the 4.8 end on enc0, and I can see the packets going out over
ESP to the destination, but they never show up on enc0 at the 4.5 end. What's
really frustrating is that
a) other tunnels to Sonicwall devices work just fine from the 4.8 side
b) I am upgrading the device that is now 4.8 from a 4.5 installation,
and the
tunnel worked just fine before.
Any ideas on what might be happening or how to further troubleshoot this?
--Paul
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
