Can't build VPN with ipsecctl

Mitja Thu, 23 Nov 2006 04:14:30 -0800

Hello,

I am trying for the past 4 days to set up a simple tunnel, already done
that in the past, not so complicated with isakmpd.conf. I am struggling
through ipsecctl and ipsec.conf repeating the steps from man and other
pages without success. I am doing something wrong I can't find the
mistake. So a fresh pair of eyes would be appreciated.


Network:
  OpenBSD1                 CISCO                  OPENBSD2
172.16.15.6 -> 172.16.15.5 -PTP- 172.16.16.5 <-> 172.16.16.6
     |                                               |
193.189.180.192/28   < ==== tunnel ==== >    193.189.180.208/28


I have to build a tunnel between OpenBSD routers.
What I have done till now:

Sysctl variables on both routers:
net.inet.ip.forwarding=1
net.inet.esp.enable=1
net.inet.ah.enable=1

On OpenBSD1:
route add 172.16.16.6 172.16.15.5 255.255.255.252

On OpenBSD2:
route add 172.16.15.6 172.16.16.5 255.255.255.252

Test:

OpenBSD2
# ping -c 4 172.16.15.6
PING 172.16.15.6 (172.16.15.6): 56 data bytes
64 bytes from 172.16.15.6: icmp_seq=0 ttl=254 time=2.688 ms
64 bytes from 172.16.15.6: icmp_seq=1 ttl=254 time=2.483 ms
64 bytes from 172.16.15.6: icmp_seq=2 ttl=254 time=2.432 ms
64 bytes from 172.16.15.6: icmp_seq=3 ttl=254 time=2.378 ms
--- 172.16.15.6 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.378/2.495/2.688/0.122 ms

OpenBSD1
# tcpdump -i bge1 icmp
tcpdump: listening on bge1, link-type EN10MB
11:31:53.269998 172.16.16.6 > 172.16.15.6: icmp: echo request
11:31:53.270004 172.16.15.6 > 172.16.16.6: icmp: echo reply
11:31:54.272298 172.16.16.6 > 172.16.15.6: icmp: echo request
11:31:54.272303 172.16.15.6 > 172.16.16.6: icmp: echo reply
11:31:55.282202 172.16.16.6 > 172.16.15.6: icmp: echo request
11:31:55.282208 172.16.15.6 > 172.16.16.6: icmp: echo reply
11:31:56.292106 172.16.16.6 > 172.16.15.6: icmp: echo request
11:31:56.292111 172.16.15.6 > 172.16.16.6: icmp: echo reply

OK, routing is working from router1 through CISCO to router2.

Now I will try to start building a tunnel. First using static keying as
described in ipsec.conf(5) manual flows:

OpenBSD1
# ipsecctl -s all
FLOWS:
flow esp in from 193.189.180.208/28 to 193.189.180.192/28 peer
172.16.16.6 type require
flow esp out from 193.189.180.192/28 to 193.189.180.208/28 peer
172.16.16.6 type require

SAD:
esp tunnel from 172.16.16.6 to 172.16.15.6 spi 0xabd9da39 auth
hmac-sha2-256 enc aes \
        authkey
0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 \
        enckey 0xf7795f6bdd697a43a4d28dcf1b79062d
esp tunnel from 172.16.15.6 to 172.16.16.6 spi 0xc9dbb83d auth
hmac-sha2-256 enc aes \
        authkey
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8 \
        enckey 0xb341aa065c3850edd6a61e150d6a5fd3


OpenBSD2
# ipsecctl -s all
FLOWS:
flow esp in from 193.189.180.192/28 to 193.189.180.208/28 peer
172.16.15.6 type require
flow esp out from 193.189.180.208/28 to 193.189.180.192/28 peer
172.16.15.6 type require

SAD:
esp tunnel from 172.16.15.6 to 172.16.16.6 spi 0xc9dbb83d auth
hmac-sha2-256 enc aes \
        authkey
0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 \
        enckey 0xf7795f6bdd697a43a4d28dcf1b79062d
esp tunnel from 172.16.16.6 to 172.16.15.6 spi 0xabd9da39 auth
hmac-sha2-256 enc aes \
        authkey
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8 \
        enckey 0xb341aa065c3850edd6a61e150d6a5fd3


Let's make a test:
OpenBSD2: # ping 193.189.180.193
PING 193.189.180.193 (193.189.180.193): 56 data bytes


OpenBSD1: tcpdump -i bge1

At this point I should see some kind of traffic?

Let's debug this on OpenBSD2:
# tcpdump -i bge0 icmp
tcpdump: listening on bge0, link-type EN10MB
12:52:34.600017 172.16.16.6 > 193.189.180.193: icmp: echo request
12:52:34.600443 172.16.16.5 > 172.16.16.6: icmp: net 193.189.180.193
unreachable
12:52:35.610009 172.16.16.6 > 193.189.180.193: icmp: echo request
12:52:35.610386 172.16.16.5 > 172.16.16.6: icmp: net 193.189.180.193
unreachable
12:52:36.620010 172.16.16.6 > 193.189.180.193: icmp: echo request
12:52:36.620332 172.16.16.5 > 172.16.16.6: icmp: net 193.189.180.193
unreachable

It looks like host 172.16.16.5 on that CISCO stuff (I am not in charge
of) is correctly replying net unreachable. But this traffic should go
through the tunnel. Any hints?

OpenBSD2
# netstat -rnf encap
Routing tables

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
193.189.180.192/28 0     193.189.180.208/28 0     0
172.16.15.6/esp/require/in
193.189.180.208/28 0     193.189.180.192/28 0     0
172.16.15.6/esp/require/out



Mitja

Can't build VPN with ipsecctl

Reply via email to