Re: matching ipv6 esp traffic

Tue, 14 Apr 2009 04:43:36 -0700 

this has been fixed in openbsd 4.5

On Sun, Apr 12, 2009 at 05:48:54PM +0200, Florian Obser wrote:
> Hi,
> 
> I'm trying to secure my wlan access point with ipsec.
> 
> Apparently I cannot match ipv6 esp traffic. This is on 4.4
> 
> I build a simplified setup with qemu, ipsec-gw and ipsec-client:
> 
> ----- ipsec-gw ----
> 
> [r...@ipsec-gw:~]# cat /etc/ipsec.conf
> ike passive esp from 10.12.32.235 to 10.12.32.236
> ike passive esp from 2001:db8::1 to 2001:db8::2
> 
> [r...@ipsec-gw:~]# cat /etc/pf.conf
> pass log on enc0
> block in log on em0
> pass out log on em0
> # allow link-local multicast for neighbor solicitation / neighbor 
> advertisement
> pass in on em0 proto icmp6 to FF02::/16
> pass in on em0 proto tcp from any to em0 port ssh
> pass in log on em0 proto udp from any to em0 port isakmp
> pass in log on em0 proto esp from any to em0
> 
> [r...@ipsec-gw:~]# ipsecctl -s all
> FLOWS:
> flow esp in from 10.12.32.236 to 10.12.32.235 peer 10.12.32.236 srcid 
> 10.12.32.235/32 dstid 10.12.32.236/32 type use
> flow esp out from 10.12.32.235 to 10.12.32.236 peer 10.12.32.236 srcid 
> 10.12.32.235/32 dstid 10.12.32.236/32 type require
> flow esp in from 2001:db8::2 to 2001:db8::1 peer 2001:db8::2 srcid 
> 2001:db8::1/128 dstid 2001:db8::2/128 type use
> flow esp out from 2001:db8::1 to 2001:db8::2 peer 2001:db8::2 srcid 
> 2001:db8::1/128 dstid 2001:db8::2/128 type require
> 
> SAD:
> esp tunnel from 2001:db8::1 to 2001:db8::2 spi 0x20d8f195 auth 
> hmac-sha2-256 enc aes
> esp tunnel from 10.12.32.235 to 10.12.32.236 spi 0x6335527f auth 
> hmac-sha2-256 enc aes
> esp tunnel from 10.12.32.236 to 10.12.32.235 spi 0xa90135ff auth 
> hmac-sha2-256 enc aes
> esp tunnel from 2001:db8::2 to 2001:db8::1 spi 0xd9956a4e auth 
> hmac-sha2-256 enc aes
> 
> ----- ipsec-client ----
> 
> [r...@ipsec-client:~]# cat /etc/pf.conf
> pass all
> 
> [r...@ipsec-client:~]# cat /etc/ipsec.conf
> ike esp from 10.12.32.236 to 10.12.32.235
> ike esp from 2001:db8::2 to 2001:db8::1
> 
> [r...@ipsec-client:~]# ipsecctl -s all
> FLOWS:
> flow esp in from 10.12.32.235 to 10.12.32.236 peer 10.12.32.235 srcid 
> 10.12.32.236/32 dstid 10.12.32.235/32 type use
> flow esp out from 10.12.32.236 to 10.12.32.235 peer 10.12.32.235 srcid 
> 10.12.32.236/32 dstid 10.12.32.235/32 type require
> flow esp in from 2001:db8::1 to 2001:db8::2 peer 2001:db8::1 srcid 
> 2001:db8::2/128 dstid 2001:db8::1/128 type use
> flow esp out from 2001:db8::2 to 2001:db8::1 peer 2001:db8::1 srcid 
> 2001:db8::2/128 dstid 2001:db8::1/128 type require
> 
> SAD:
> esp tunnel from 2001:db8::1 to 2001:db8::2 spi 0x20d8f195 auth 
> hmac-sha2-256 enc aes
> esp tunnel from 10.12.32.235 to 10.12.32.236 spi 0x6335527f auth 
> hmac-sha2-256 enc aes
> esp tunnel from 10.12.32.236 to 10.12.32.235 spi 0xa90135ff auth 
> hmac-sha2-256 enc aes
> esp tunnel from 2001:db8::2 to 2001:db8::1 spi 0xd9956a4e auth 
> hmac-sha2-256 enc aes
> 
> 
> -------------------------------------------------------------------------------
> 
> loaded rules:
> 
> [r...@ipsec-gw:~/pf]# pfctl -vv -s rules | egrep -v 'Evaluations|Inserted'
> @0 pass log on enc0 all flags S/SA keep state
> @1 block drop in log on em0 all
> @2 pass out log on em0 all flags S/SA keep state
> @3 pass in on em0 inet6 proto tcp from any to fe80::5652:ff:fe3d:e648 port 
> = ssh flags S/SA keep state
> @4 pass in on em0 inet6 proto tcp from any to 2001:db8::1 port = ssh flags 
> S/SA keep state
> @5 pass in on em0 inet6 proto ipv6-icmp from any to ff02::/16 keep state
> @6 pass in on em0 inet proto tcp from any to 10.12.32.235 port = ssh flags 
> S/SA keep state
> @7 pass in log on em0 inet6 proto udp from any to fe80::5652:ff:fe3d:e648 
> port = isakmp keep state
> @8 pass in log on em0 inet6 proto udp from any to 2001:db8::1 port = isakmp 
> keep state
> @9 pass in log on em0 inet6 proto esp from any to fe80::5652:ff:fe3d:e648 
> keep state
> @10 pass in log on em0 inet6 proto esp from any to 2001:db8::1 keep state
> @11 pass in log on em0 inet proto udp from any to 10.12.32.235 port = 
> isakmp keep state
> @12 pass in log on em0 inet proto esp from any to 10.12.32.235 keep state
> 
> ===============================================================================
> 
> pinging ipv4 (this is working):
> 
> [r...@ipsec-client:~]# ping -c 1 ipsec-gw
> PING ipsec-gw (10.12.32.235): 56 data bytes
> 64 bytes from 10.12.32.235: icmp_seq=0 ttl=255 time=0.950 ms
> --- ipsec-gw ping statistics ---
> 1 packets transmitted, 1 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.950/0.950/0.950/0.000 ms
> 
> [r...@ipsec-gw:~]# tcpdump -nlp -i em0 not port ssh
> tcpdump: listening on em0, link-type EN10MB
> 16:33:44.585647 esp 10.12.32.236 > 10.12.32.235 spi 0xA90135FF seq 11 len 
> 132
> 16:33:44.585955 esp 10.12.32.235 > 10.12.32.236 spi 0x6335527F seq 11 len 
> 132
> 
> 
> [r...@ipsec-gw:~]# tcpdump -nlp -i enc0 not port ssh
> tcpdump: listening on enc0, link-type ENC
> 16:33:44.585838 (authentic,confidential): SPI 0xa90135ff: 10.12.32.236 > 
> 10.12.32.235: icmp: echo request (encap)
> 16:33:44.585919 (authentic,confidential): SPI 0x6335527f: 10.12.32.235 > 
> 10.12.32.236: icmp: echo reply (encap)
> 
> [r...@ipsec-gw:~]# tcpdump -nle -i pflog0
> tcpdump: listening on pflog0, link-type PFLOG
> 16:33:44.585715 rule 12/(match) pass in on em0: esp 10.12.32.236 > 
> 10.12.32.235 spi 0xA90135FF seq 11 len 132
> 16:33:44.585854 rule 0/(match) pass in on enc0: [|ip] (encap)
> 16:33:44.585877 rule 0/(match) pass in on enc0: 10.12.32.236 > 
> 10.12.32.235: icmp: echo request
> 
> ===============================================================================
> 
> pinging ipv6 (this is not working):
> 
> [r...@ipsec-client:~]# ping6 -c 1 ipsec-gw
> PING6(56=40+8+8 bytes) 2001:db8::2 --> 2001:db8::1
> 
> --- ipsec-gw ping6 statistics ---
> 1 packets transmitted, 0 packets received, 100.0% packet loss
> 
> 
> [r...@ipsec-gw:~]# tcpdump -nlp -i em0 not port ssh
> tcpdump: listening on em0, link-type EN10MB
> 16:35:31.317331 esp 2001:db8::2 > 2001:db8::1 spi 0xD9956A4E seq 4 len 100
> 16:35:36.316415 esp 2001:db8::2 > 2001:db8::1 spi 0xD9956A4E seq 5 len 116
> 16:35:37.316401 esp 2001:db8::2 > 2001:db8::1 spi 0xD9956A4E seq 6 len 116
> 16:35:38.316426 esp 2001:db8::2 > 2001:db8::1 spi 0xD9956A4E seq 7 len 116
> 
> 
> [r...@ipsec-gw:~]# tcpdump -nlp -i enc0 not port ssh
> tcpdump: listening on enc0, link-type ENC
> 16:35:31.317520 (authentic,confidential): SPI 0xd9956a4e: 2001:db8::2 > 
> 2001:db8::1: 2001:db8::2 > 2001:db8::1: icmp6: echo request
> 16:35:36.316530 (authentic,confidential): SPI 0xd9956a4e: 2001:db8::2 > 
> 2001:db8::1: 2001:db8::2 > 2001:db8::1: [|icmp6]
> 16:35:37.316500 (authentic,confidential): SPI 0xd9956a4e: 2001:db8::2 > 
> 2001:db8::1: 2001:db8::2 > 2001:db8::1: [|icmp6]
> 16:35:38.316523 (authentic,confidential): SPI 0xd9956a4e: 2001:db8::2 > 
> 2001:db8::1: 2001:db8::2 > 2001:db8::1: [|icmp6]
> 
> [r...@ipsec-gw:~]# tcpdump -nle -i pflog0
> tcpdump: listening on pflog0, link-type PFLOG
> 16:35:31.317408 rule 10/(match) pass in on em0: [|ip6]
> 16:35:31.317540 rule 1/(match) block in on em0: [|ip6]
> 16:35:36.316558 rule 1/(match) block in on em0: [|ip6]
> 16:35:37.316519 rule 1/(match) block in on em0: [|ip6]
> 16:35:38.316541 rule 1/(match) block in on em0: [|ip6]
> 
> Thank you for your time.
> 
> Florian
> 
> OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
>     [email protected]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: QEMU Virtual CPU version 0.9.1 ("AuthenticAMD" 686-class, 512KB L2 
> cache) 2.11 GHz
> cpu0: 
> FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3
> real mem  = 536375296 (511MB)
> avail mem = 510218240 (486MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 02/12/09, BIOS32 rev. 0 @ 0xfb4d0, 
> SMBIOS rev. 2.4 @ 0xfbd3f (10 entries)
> bios0: vendor QEMU version "QEMU" date 01/01/2007
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown
> acpi at bios0 function 0x0 not configured
> pcibios0 at bios0: rev 2.1 @ 0xf0000/0x0
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb820/128 (6 entries)
> pcibios0: PCI Interrupt Router at 000:01:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #0 is the last bus
> bios0: ROM list: 0xc0000/0x8c00 0xd0000/0x600!
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
> pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 
> 0 wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0: <QEMU HARDDISK>
> wd0: 16-sector PIO, LBA48, 10240MB, 20971520 sectors
> wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus0 at atapiscsi0: 2 targets, initiator 7
> cd0 at scsibus0 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 0.9.> ATAPI 5/cdrom 
> removable
> cd0(pciide0:1:0): using PIO mode 0
> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 9
> iic0 at piixpm0
> iic0: addr 0x18 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 
> 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
> iic0: addr 0x1a 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 
> 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
> iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 
> 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
> iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 
> 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
> spdmem0 at iic0 addr 0x50: no EEPROM found
> spdmem1 at iic0 addr 0x51: no EEPROM found
> spdmem2 at iic0 addr 0x52: no EEPROM found
> spdmem3 at iic0 addr 0x53: no EEPROM found
> spdmem4 at iic0 addr 0x54: no EEPROM found
> spdmem5 at iic0 addr 0x55: no EEPROM found
> spdmem6 at iic0 addr 0x56: no EEPROM found
> spdmem7 at iic0 addr 0x57: no EEPROM found
> vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> drm at vga1 unsupported
> em0 at pci0 dev 3 function 0 "Intel PRO/1000MT (82540EM)" rev 0x03: irq 11, 
> address 54:52:00:3d:e6:48
> unknown vendor 0x1af4 product 0x1002 (class memory subclass RAM, rev 0x00) 
> at pci0 dev 4 function 0 not configured
> unknown vendor 0x1af4 product 0x1003 (class prehistoric unknown subclass 
> 0xff, rev 0x00) at pci0 dev 5 function 0 not configured
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> com1: probed fifo depth: 0 bytes
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pmsi0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pmsi0 mux 0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: <PC speaker>
> spkr0 at pcppi0
> lpt0 at isa0 port 0x378/4 irq 7
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: density unknown
> fd1 at fdc0 drive 1: density unknown
> biomask e765 netmask ef65 ttymask ffff
> mtrr: CPU supports MTRRs but not enabled
> nvram: invalid checksum
> softraid0 at root
> root on wd0a swap on wd0b dump on wd0b
> clock: unknown CMOS layout

Reply via email to