Greetings -
I have a hub that is terminating IPsec connections from various sites. One
site is running 7.3 and has downlinks to other routers on vlan2. When I try
and ping from the site-obsd (the OpenBSD machine at site) to the router,
there are no issues and that device is getting DHCP addresses from the
OpenBSD machine, etc.
site-obsd# ifconfig vlan2
vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
[..]
index 11 priority 0 llprio 3
encap: vnetid 2 parent em1 txprio packet rxprio outer
groups: vlan
media: Ethernet 100baseTX full-duplex
status: active
inet 10.99.2.20 netmask 0xffffff00 broadcast 10.99.2.255
site-obsd# arp -a | grep r1
r1 28:93:fe:df:bc:11 vlan2 15m52s
site-obsd# ping -qc2 r1
PING r1 (10.89.2.1): 56 data bytes
^C
--- r1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.096/1.227/1.358/0.131 ms
All good there. Now I want to send all default traffic to/from the
hub/router through an IPsec tunnel so that the router on the far end of
site-obsd can access the rest of the network.
Basically, default route traffic from r1 should hit site-obsd's em1 interface,
then go through the IPsec tunnel to hub, as follows:
---- -------------------- -----------
|r1| -> em1 |site-obsd| enc0 -> enc0 |hub|
---- -------------------- -----------
The iked configurations are pretty straightforward
# SITE /etc/iked.conf
ikev2 'HUB-NET' active esp \
from 10.99.0.0/16 to 0.0.0.0/0 \
peer 172.16.1.1 \
ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
srcid 192.168.1.1 dstid 172.16.1.1 \
lifetime 7200 bytes 4G psk "XXXXXXXX" tag "vpn.site-hub"
# HUB /etc/iked.conf
ikev2 'SITE-NET' passive esp \
from 0.0.0.0/0 to 10.99.0.0/16 \
peer 192.168.1.1 \
ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
srcid 172.16.1.1 dstid 192.168.1.1 \
lifetime 7200 bytes 4G psk "XXXXXXXX" tag "vpn.hub-site"
Starting iked on site-obsd brings up the tunnel:
site-obsd# rcctl start iked
iked(ok)
site-obsd# ipsecctl -sa | grep '172.16.1'
esp tunnel from 192.168.1.1 to 172.16.1.1 spi 0x2d97c8d2 enc aes-256-gcm
esp tunnel from 172.16.1.1 to 192.168.1.1 spi 0xcca66c6c enc aes-256-gcm
However, when I try and ping r1 from site-obsd, that traffic is now being
matched
by iked and being sent over the tunnel:
site-obsd# ping -qc2 r1
PING r1 (10.89.2.1): 56 data bytes
^C
--- r1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
site-obsd# tcpdump -ni enc0
tcpdump: listening on enc0, link-type ENC
08:53:48.275553 (authentic,confidential): SPI 0x2d97c8d2: 10.89.2.20 >
10.89.2.1: icmp: echo request (encap)
08:53:49.275583 (authentic,confidential): SPI 0x2d97c8d2: 10.89.2.20 >
10.89.2.1: icmp: echo request (encap)
^C
What is a better way to configure iked on site-obsd so that it does not
encapsulate local traffic on the 10.89.2.0/24 network? Obviously my
understanding is incorrect, so any help is appreciated.
Thanks in advance!
