On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote: > Folks, > > I'm running 4.8-stable on one end and 4.5-stable at the other of a > site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are > working before upgrading the 4.5-stable end.) The tunnel is configured using > ipsec.conf and ipsecctl, and the relevant portions of the configs are:
http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 -Otto > > 4.8 side > ---------- > ike esp from $internal_subnet \ > to $outpost_subnet \ > local $fios_tunnel_host \ > peer $outpost_tunnel_host > > 4.5 side > ---------- > ike passive esp from $local_network to $remote_network peer > $remote_gateway_ip > > The flows and SAs that come up are: > > 4.8 side > ---------- > FLOWS: > flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid > 71.163.154.173/32 dstid 64.237.99.79/32 type use > flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid > 71.163.154.173/32 dstid 64.237.99.79/32 type require > > SAD: > esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth > hmac-sha2-256 enc aes > esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0xffff2d0b auth > hmac-sha2-256 enc aes > > 4.5 side > ---------- > FLOWS: > flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173 > srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use > flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173 > srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require > > SAD: > esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth > hmac-sha2-256 enc aes > esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0xffff2d0b auth > hmac-sha2-256 enc aes > > Relevant pf rules are: > > 4.8 side > ---------- > pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port > = isakmp keep state > pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep > state > pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port > = isakmp keep state > pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep > state > > 4.5 side > ---------- > pass log quick on enc0 > pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port > 500 > pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port > 500 > pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port > 4500 > pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port > 4500 > pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79 > pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173 > > > The security associations come up just fine, and I can see packets going into > the tunnel at the 4.8 end on enc0, and I can see the packets going out over > ESP to the destination, but they never show up on enc0 at the 4.5 end. What's > really frustrating is that > > a) other tunnels to Sonicwall devices work just fine from the 4.8 side > > b) I am upgrading the device that is now 4.8 from a 4.5 installation, > and the > tunnel worked just fine before. > > Any ideas on what might be happening or how to further troubleshoot this? > > > > --Paul > > [demime 1.01d removed an attachment of type application/pkcs7-signature which > had a name of smime.p7s]
