That seems to have fixed it, thanks!
--Paul On Feb 2, 2011, at 5:12 AM, Otto Moerbeek wrote: > On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote: > >> Folks, >> >> I'm running 4.8-stable on one end and 4.5-stable at the other of a >> site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are >> working before upgrading the 4.5-stable end.) The tunnel is configured using >> ipsec.conf and ipsecctl, and the relevant portions of the configs are: > > http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 > > -Otto > >> >> 4.8 side >> ---------- >> ike esp from $internal_subnet \ >> to $outpost_subnet \ >> local $fios_tunnel_host \ >> peer $outpost_tunnel_host >> >> 4.5 side >> ---------- >> ike passive esp from $local_network to $remote_network peer >> $remote_gateway_ip >> >> The flows and SAs that come up are: >> >> 4.8 side >> ---------- >> FLOWS: >> flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid >> 71.163.154.173/32 dstid 64.237.99.79/32 type use >> flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid >> 71.163.154.173/32 dstid 64.237.99.79/32 type require >> >> SAD: >> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth >> hmac-sha2-256 enc aes >> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0xffff2d0b auth >> hmac-sha2-256 enc aes >> >> 4.5 side >> ---------- >> FLOWS: >> flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173 >> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use >> flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173 >> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require >> >> SAD: >> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth >> hmac-sha2-256 enc aes >> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0xffff2d0b auth >> hmac-sha2-256 enc aes >> >> Relevant pf rules are: >> >> 4.8 side >> ---------- >> pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port >> = isakmp keep state >> pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep >> state >> pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port >> = isakmp keep state >> pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep >> state >> >> 4.5 side >> ---------- >> pass log quick on enc0 >> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port >> 500 >> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port >> 500 >> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port >> 4500 >> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port >> 4500 >> pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79 >> pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173 >> >> >> The security associations come up just fine, and I can see packets going into >> the tunnel at the 4.8 end on enc0, and I can see the packets going out over >> ESP to the destination, but they never show up on enc0 at the 4.5 end. What's >> really frustrating is that >> >> a) other tunnels to Sonicwall devices work just fine from the 4.8 side >> >> b) I am upgrading the device that is now 4.8 from a 4.5 installation, >> and the >> tunnel worked just fine before. >> >> Any ideas on what might be happening or how to further troubleshoot this? >> >> >> >> --Paul >> >> [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s] [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
