On 10/10/2017 04:35 PM, Renaud Allard wrote: > Hello, > > Since the upgrade to OpenBSD 6.2 (from 6.1). One of my tunnels is not > working anymore (it was working on 6.1) > There are 2 things which differ from the other (working) ones: > Both hosts are natted, and one host is i386 (instead of amd64). > > I can see packets leaving the source server and entering the destination > one. > > leaving: > Oct 10 16:20:20.456154 e4:11:5b:d4:4a:6e c4:ea:1d:45:50:2c 0800 194: > 192.168.254.2.4500 > 91.183.56.68.4500:udpencap: esp 192.168.254.2 > > 91.183.56.68 spi 0x1b3c3f1f seq 155 len 152 (DF) > > arriving: > Oct 10 16:20:20.474021 08:76:ff:e5:24:82 00:04:a7:08:9a:c6 0800 194: > 91.183.56.64.4500 > 172.20.254.254.4500:udpencap: esp 91.183.56.64 > > 172.20.254.254 spi 0x1b3c3f1f seq 155 len 152 (DF) [tos 0x38] > > However, if I sniff enc0 on the source host, I can see the packets, but > on the destination host, I don't see anything on enc0 besides the NAT-T > keepalives. > >
I made a lot of tests, like changing the encryption schemes, changing settings in pf, using transport mode instead of tunnel mode, etc. This didn't solve the issue. It seems really related to the fact that both hosts are using NAT-T as there is no issue when only 1 host is behind NAT. This really looks like a bug, but I find it strange that no one else is reporting that.
smime.p7s
Description: S/MIME Cryptographic Signature
