[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ipsec not routing
I have an odd problem (there's a surprise) when packets that should be
routed over the vpn, don't seem to be recognized by the ipsec flow. I have
the same vpn machine sending packets to two other vpn's with no issues. When
I add the third, you can not ping, nor can tcpdump 'see' the outgoing
attempt even being made.
I have disabled and flushed all pf rules to check it was not the issue,
double checked the spi's and and ipsecadm flows. It appear it is only one
box having the issue, as the remote end of the 'new' vpn does send packets
and tcpdump does see the correct spi being sent out.
I am not sure how much information you all may need to help in this matter,
but I will include the flows, ipsecadm commands and spi output for both the
new remote and the current 'hub' who has the issues. Machine A is
3.4 -stable
Machine A. (current hub)
10/8 0 192.168.101/24 0 0
216.xx.xx.2/50/require/in
10/8 0 192.168.102/24 0 0
216.xx.xx.2/50/require/in
10/8 0 192.168.103/24 0 0
216.xx.xx.2/50/require/in
10/8 0 192.168.104/24 0 0
216.xx.xx.2/50/require/in
66.xx.xxx.131/32 0 192.168.102/24 0 0
66.xx.xxx.131/50/require/in
172.16/16 0 192.168.102/24 0 0
66.xx.xxx.131/50/require/in
172.30.102/24 0 192.168.102/24 0 0
207.xxx.xx.186/50/require/in
207.xxx.xx.186/32 0 192.168.102/24 0 0
207.xxx.xx.186/50/require/in
207.xxx.xx.186/32 0 216.98.32.4/32 0 0
207.xxx.xx.186/50/require/in
216.xx.xx.2/32 0 192.168.101/24 0 0
216.xx.xx.2/50/require/in
216.xx.xx.2/32 0 192.168.102/24 0 0
216.xx.xx.2/50/require/in
216.xx.xx.2/32 0 192.168.103/24 0 0
216.xx.xx.2/50/require/in
216.xx.xx.2/32 0 192.168.104/24 0 0
216.xx.xx.2/50/require/in
192.168.101/24 0 10/8 0 0
216.xx.xx.2/50/require/out
192.168.101/24 0 216.xx.xx.2/32 0 0
216.xx.xx.2/50/require/out
192.168.102/24 0 10/8 0 0
216.xx.xx.2/50/require/out
192.168.102/24 0 66.xx.xxx.131/32 0 0
66.xx.xxx.131/50/require/out
192.168.102/24 0 172.16/16 0 0
66.xx.xxx.131/50/require/out
192.168.102/24 0 207.xxx.xx.186/32 0 0
207.xxx.xx.186/50/require/out
192.168.102/24 0 216.xx.xx.2/32 0 0
216.xx.xx.2/50/require/out
192.168.103/24 0 10/8 0 0
216.xx.xx.2/50/require/out
192.168.103/24 0 216.xx.xx.2/32 0 0
216.xx.xx.2/50/require/out
192.168.104/24 0 10/8 0 0
216.xx.xx.2/50/require/out
192.168.104/24 0 216.xx.xx.2/32 0 0
216.xx.xx.2/50/require/out
198.168.102/24 0 172.30.102/24 0 0
207.xxx.xx.186/50/require/out
216.xx.xx.4/32 0 207.xxx.xx.186/32 0 0
207.xxx.xx.186/50/require/out
# Machine A
/sbin/ipsecadm new esp -spi 1011 -src 216.xx.xx.4-dst
207.xxx.xx.186 -forcetunnel -enc blf -auth sha1 -keyfile /etc/esp-enc-
key -authkeyfile /etc/esp-auth-key
/sbin/ipsecadm new esp -spi 1012 -src 207.xxx.xx.186 -dst
216.xx.xx.4-forcetunnel -enc blf -auth sha1 -keyfile /etc/esp-enc-
key -authkeyfile /etc/esp-auth-key
# 192.168.102.0 <-> 172.30.0.0
#INBOUND
/sbin/ipsecadm flow -dst 207.xxx.xx.186 -proto esp -addr 207.xxx.xx.186/32
216.xx.xx.4/32 -require -in -src 216.xx.xx.4
/sbin/ipsecadm flow -dst 207.xxx.xx.186 -proto esp -addr 172.30.102.0/24
192.168.102.0/24 -require -in -src 216.xx.xx.4
/sbin/ipsecadm flow -dst 207.xxx.xx.186 -proto esp -addr 207.xxx.xx.186/32
192.168.102.0/24 -require -in -src 216.xx.xx.4
# OUTBOUND
/sbin/ipsecadm flow -dst 207.xxx.xx.186 -proto esp -addr 198.168.102.0/24
172.30.102.0/24 -require -out -src 216.xx.xx.4
/sbin/ipsecadm flow -dst 207.xxx.xx.186 -proto esp -addr 192.168.102.0/24
207.xxx.xx.186/32 -require -out -src 216.xx.xx.4
/sbin/ipsecadm flow -dst 207.xxx.xx.186 -proto esp -addr 216.xx.xx.4/32
207.xxx.xx.186/32 -require -out -src 216.xx.xx.
#Machine A
# ipsecadm show
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 8128
sa: spi 0x00001002 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 49271 add 1083501168 first 1083501169
address_src: 216.xx.xx.4
address_dst: 216.xx.xx.2
key_auth: bits 160: somekeyfilestuffhere
key_encrypt: bits 160: someotherkeyfilestuff
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 8128
sa: spi 0x00001007 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 3608835 add 1083501168 first 1083501169
address_src: 216.xx.xx.4
address_dst: 66.xx.xxx.131
key_auth: bits 160: somekeyfilestuffhere
key_encrypt: bits 160: someotherkeyfilestuff
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 8128
sa: spi 0x00001011 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1083501168 first 0
address_src: 216.xx.xx.4
address_dst: 207.xxx.xx.186
key_auth: bits 160: somekeyfilestuffhere
key_encrypt: bits 160: someotherkeyfilestuff
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 8128
sa: spi 0x00001003 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 41240 add 1083501168 first 1083501169
address_src: 216.xx.xx.2
address_dst: 216.xx.xx.4
key_auth: bits 160: somekeyfilestuffhere
key_encrypt: bits 160: someotherkeyfilestuff
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 8128
sa: spi 0x00001012 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1083501168 first 0
address_src: 207.xxx.xx.186
address_dst: 216.xx.xx.4
key_auth: bits 160: somekeyfilestuffhere
key_encrypt: bits 160: someotherkeyfilestuff
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 8128
sa: spi 0x00001006 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 2932720 add 1083501168 first 1083501169
address_src: 66.xx.xxx.131
address_dst: 216.xx.xx.4
key_auth: bits 160: somekeyfilestuffhere
key_encrypt: bits 160: someotherkeyfilestuff
Machine B (this one works fine)
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
10/8 0 172.30/16 0 0
216.xx.xx.2/50/require/in
192.168.102/24 0 172.30.102/24 0 0
216.xx.xx.4/50/require/in
216.xx.xx.4/32 0 172.30.102/24 0 0
216.xx.xx.4/50/require/in
216.xx.xx.4/32 0 207.xxx.xx.186/32 0 0
216.xx.xx.4/50/require/in
216.xx.xx.2/32 0 10/8 0 0
216.xx.xx.2/50/require/in
216.xx.xx.2/32 0 207.xxx.xx.186/32 0 0
216.98.32.2/50/require/in
172.30/16 0 10/8 0 0
216.xx.xx.2/50/require/out
172.30/16 0 216.xx.xx.2/32 0 0
216.xx.xx.2/50/require/out
172.30.102/24 0 192.168.102/24 0 0
216.xx.xx.4/50/require/out
172.30.102/24 0 216.xx.xx.4/32 0 0
216.xx.xx.4/50/require/out
207.xxx.xx.186/32 0 216.xx.xx.4/32 0 0
216.xx.xx.4/50/require/out
207.xxx.xx.186/32 0 216.xx.xx.2/32 0 0
216.xx.xx.2/50/require/out
# ipsecadm show (Machine B)
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 9234
sa: spi 0x00001009 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 15516 add 1083513916 first 1083513916
address_src: 207.xxx.xx.186
address_dst: 216.xx.xx.2
key_auth: bits 160: somesecretkey
key_encrypt: bits 160: someotherkeyhere
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 9234
sa: spi 0x00001013 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1083513916 first 0
address_src: 207.xxx.xx.186
address_dst: 66.xx.xxx.131
key_auth: bits 160: somesecretkey
key_encrypt: bits 160: someotherkeyhere
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 9234
sa: spi 0x00001014 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1083513916 first 0
address_src: 66.xx.xxx.131
address_dst: 207.xxx.xx.186
key_auth: bits 160: somesecretkey
key_encrypt: bits 160: someotherkeyhere
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 9234
sa: spi 0x00001012 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 252 add 1083513916 first 1083513994
address_src: 207.xxx.xx.186
address_dst: 216.xx.xx.4
key_auth: bits 160: somesecretkey
key_encrypt: bits 160: someotherkeyhere
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 9234
sa: spi 0x00001010 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 12976 add 1083513916 first 1083513916
address_src: 216.xx.xx.2
address_dst: 207.xxx.xx.186
key_auth: bits 160: somesecretkey
key_encrypt: bits 160: someotherkeyhere
sadb_dump: satype unspec vers 2 len 22 seq 1 pid 9234
sa: spi 0x00001011 auth hmac-sha1 enc blowfish
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1083513916 first 0
address_src: 216.xx.xx.4
address_dst: 207.xxx.xx.186
key_auth: bits 160: somesecretkey
key_encrypt: bits 160: someotherkeyhere
# Machine B
/sbin/ipsecadm new esp -spi 1012 -src 207.xxx.xx.186 -dst
216.xx.xx.4 -forcetunnel -enc blf -auth sha1 -keyfile /etc/esp-
enc-key -authkeyfile /etc/esp-auth-key
/sbin/ipsecadm new esp -spi 1011 -src 216.xx.xx.4 -dst
207.xxx.xx.186 -forcetunnel -enc blf -auth sha1 -keyfile /etc/esp-
enc-key -authkeyfile /etc/esp-auth-key
# 172.30.0.0/16 <-> 192.168.0.0/16
#OUTBOUND
/sbin/ipsecadm flow -dst 216.xx.xx.4-proto esp -addr 207.xxx.xx.186/32
216.xx.xx.4/32 -require -out -src 207.xxx.xx.186
/sbin/ipsecadm flow -dst 216.xx.xx.4-proto esp -addr 172.30.102.0/24
192.168.102.0/24 -require -out -src 207.xxx.xx.186
/sbin/ipsecadm flow -dst 216.xx.xx.4-proto esp -addr 172.30.102.0/24
216.xx.xx.4/32 -require -out -src 207.xxx.xx.186
#INBOUND
/sbin/ipsecadm flow -dst 216.xx.xx.4-proto esp -addr 216.xx.xx.4/32
207.xxx.xx.186/32 -require -in -src 207.xxx.xx.186
/sbin/ipsecadm flow -dst 216.xx.xx.4-proto esp -addr 192.168.102.0/24
172.30.102.0/24 -require -in -src 207.xxx.xx.186
/sbin/ipsecadm flow -dst 216.xx.xx.4-proto esp -addr 216.xx.xx.4/32
172.30.102.0/24 -require -in -src 207.xxx.xx.186