[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSEC VPN 2.6<-->2.7 troubleshooting

To: misc@openbsd.org
Subject: IPSEC VPN 2.6<-->2.7 troubleshooting
From: Steve Williams <steve@genie96.com>
Date: Thu, 16 Nov 2000 19:55:30 -0700 (MST)
Read-Receipt-To: steve@genie96.com


Hi,

I am trying to set up my first IPSEC VPN.  Unfortunately, I am trying
to sneak it into existing (production) systems, so I don't have the freedom 
to upgrade the OS ( unless it's absolutely mandatory! ).

One system ( bastion ) is OpenBSD 2.6

The second system ( bastion2 ) is OpenBSD 2.7-current ( patch branch )

They are both connected to the Internet via an ADSL connection, and 
the connection is working 100 %.  I can scp, ssh, etc with absolutely
no problem.  I am using the same ISP for both systems, so the external 
IP addresses are pretty similar.

I am using manual keying, since the OBSD 2.6 box doesn't support 
isakmpd.

I am using the appropriate /usr/share/ipsec/rc.vpn on both systems.
They are fairly different between the 2.6 & 2.7, so I am using the
appropriate OS's rc.vpn.

I have the firewall wide open on both systems for implementing this.

The weird thing is that packets appear to be able to leave the system
fine, and they arrive at the other system, but that's it.

I can tcpdump on the NIC's, ping and see the packets leaving one system
and arriving on the other, but it's only one direction.

I have read all the man pages, FAQ's, but troublshooting this is not
very detailed...it says consider asking the mailing lists....

Is there anything glaring that anyone can see with what has been done?

bastion ( OpenBSD 2.6)
----------------------
Internal Network 192.168.0.0/24
External IP address:a.115.242.23/32

netstat -rn -f encap  # after rc.vpn

Encap:
Source       Port  Destination        Port  Proto SA(Address/SPI/Proto) 
0.0.0.0/32   0     192.168.88/24      0     0     a.115.230.160/00001000/50
0.0.0.0/32   0     a.115.230.160/32   0     0     a.115.230.160/00001000/50
192.168.0/24 0     192.168.88/24      0     0     a.115.230.160/00001000/50
192.168.0/24 0     a.115.230.160/32   0     0     a.115.230.160/00001000/50

bastion2 ( OpenBSD 2.7 )
------------------------
Internal Network 192.168.88.0/24
External IP address: a.115.230.160

netstat -rn -f encap  # after rc.vpn

Encap:
Source           Port  Destination     Port  Proto SA(Address/SPI/Proto) 
192.168.88/24    0     192.168.0/24    0     0     a.115.242.23/00001000/50
192.168.88/24    0     a.115.242.23/32 0     0     a.115.242.23/00001000/50
a.115.230.160/32 0     192.168.0/24    0     0     a.115.242.23/00001000/50
a.115.230.160/32 0     a.115.242.23/32 0     0     a.115.242.23/00001000/50


tcpdumps Ping FROM bastion2 to bastion
======================================

bastion2 ( OpenBSD 2.7 )
------------------------
# tcpdump -i ne2 -c 10 host bastion

19:14:12.274086 esp bastion2 > bastion spi 0x00001000 seq 395 len 116
19:14:13.284493 esp bastion2 > bastion spi 0x00001000 seq 396 len 116
19:14:14.282223 esp bastion2 > bastion spi 0x00001000 seq 397 len 116
19:14:15.282223 esp bastion2 > bastion spi 0x00001000 seq 398 len 116
19:14:16.282219 esp bastion2 > bastion spi 0x00001000 seq 399 len 116
19:14:17.282222 esp bastion2 > bastion spi 0x00001000 seq 400 len 116
19:14:18.282224 esp bastion2 > bastion spi 0x00001000 seq 401 len 116
19:14:19.282216 esp bastion2 > bastion spi 0x00001000 seq 402 len 116
19:14:20.282220 esp bastion2 > bastion spi 0x00001000 seq 403 len 116
19:14:21.284354 esp bastion2 > bastion spi 0x00001000 seq 404 len 116
19:14:22.282215 esp bastion2 > bastion spi 0x00001000 seq 405 len 116

bastion ( OpenBSD 2.6)
----------------------
# tcpdump -i we0 -c 10 host bastion2

19:14:09.369720 esp bastion2 > bastion spi 0x00001000 seq 395 len 116
19:14:10.378561 esp bastion2 > bastion spi 0x00001000 seq 396 len 116
19:14:11.377663 esp bastion2 > bastion spi 0x00001000 seq 397 len 116
19:14:12.375956 esp bastion2 > bastion spi 0x00001000 seq 398 len 116
19:14:13.374622 esp bastion2 > bastion spi 0x00001000 seq 399 len 116
19:14:14.374808 esp bastion2 > bastion spi 0x00001000 seq 400 len 116
19:14:15.375672 esp bastion2 > bastion spi 0x00001000 seq 401 len 116
19:14:16.374509 esp bastion2 > bastion spi 0x00001000 seq 402 len 116
19:14:17.374001 esp bastion2 > bastion spi 0x00001000 seq 403 len 116
19:14:18.376044 esp bastion2 > bastion spi 0x00001000 seq 404 len 116



Thanks,
-- 
	Steve Williams, Calgary, Alberta, Canada
	Genie Computer Systems Inc.
	steve@genie96.com

"A man doesn't begin to attain wisdom until he recognizes that he is 
 no longer indispensable."
- Admiral Richard E. Byrd ( 1888-1957 )

Follow-Ups:
- Re: IPSEC VPN 2.6<-->2.7 troubleshooting
  - From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>

Prev by Date: Re: 3 PCI NIC's on OpenBSD 2.6(x86) sharing IRQ's
Next by Date: Re: ctime(3) manpage obscurity?
Prev by thread: Re: ctime(3) manpage obscurity?
Next by thread: Re: IPSEC VPN 2.6<-->2.7 troubleshooting
Index(es):
- Date
- Thread