[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Problems setting a VPN with Isakmpd
- To: "'Romain Guilleret'" <romain_(_dot_)_guilleret_(_at_)_paulboyerconsultants_(_dot_)_fr>, "'misc_(_at_)_openbsd_(_dot_)_org'" <misc_(_at_)_openbsd_(_dot_)_org>
- Subject: RE: Problems setting a VPN with Isakmpd
- From: Patrick Ethier <pat_(_at_)_secureops_(_dot_)_com>
- Date: Fri, 7 Apr 2000 14:55:48 -0400
I'm babbling away here because everyhting looks like it should work. If your
SA's and IPSEC tunnel got set up then ISAKMPD is not the problem. Run
TCPDUMP on both interfaces, check your routing(Because for such a simple set
up your routing looks odd).
If I were you, I'd change the 10.0.1.254 address to 10.0.0.253 so that your
two gateways are on the same subnet.
Make sure you ping from internal to internal, or else you'll get a one way
encrypted/ other way clear response.
-----Original Message-----
From: Romain Guilleret [mailto:romain_(_dot_)_guilleret_(_at_)_paulboyerconsultants_(_dot_)_fr]
Sent: Friday, April 07, 2000 12:59 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Problems setting a VPN with Isakmpd
Hi all,
I am trying to configure a VPN using Isakmpd on 2 OpenBSD 2.6 boxes.
Here is my network diagram:
+----------+ +----------+
| Desktop | |OpenBSD2.6|
| |--------------| |
| B | | |
+----------+ +----------+
192.168.0.1 192.168.0.254 | 10.0.0.254
/24 |
|
same hub
|
|
+----------+ 10.0.1.254
|OpenBSD2.6| /24
| |
| |
+----------+ 192.168.1.254
| /24
|
|
|
+----------+ 192.168.1.1
| Desktop | /24
| |
| A |
+----------+
I've lauched Isakmpd on both OpenBSD boxes. Now when I ping 192.168.0.1
from 192.168.1.1, the 192.168.1.254 gateway sends an ICMP host
unreachable, and does not use ipsec flows. The output from netstat -nr
seems correct:
( on 10.0.0.254)
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
10.0.0/24 link#1 UC 0 0 - xl0
10.0.0.254 127.0.0.1 UGHS 0 3 - lo0
10.0.1/24 link#1 UCS 0 0 - xl0
10.0.1.254 0:50:da:e3:38:6f UHLS 1 302 - xl0
127/8 127.0.0.1 UGRS 0 0 - lo0
127.0.0.1 127.0.0.1 UH 3 7 - lo0
192.168.0/24 link#2 UC 0 0 - xl1
192.168.0.1 0:60:97:17:fe:ed UHL 0 416 - xl1
192.168.0.254 127.0.0.1 UGHS 0 0 - lo0
224/4 127.0.0.1 URS 0 0 - lo0
Encap:
Source Port Destination Port Proto
SA(Address/SPI/Proto)
0.0.0.0/32 0 192.168.1/24 0 0
10.0.1.254/ba123ba2/50
192.168.0/24 0 192.168.1/24 0 0
10.0.1.254/ba123ba2/50
( on 10.0.1.254 )
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
10.0.0/24 link#1 UCS 0 0 - xl0
10.0.0.254 0:50:da:de:80:6a UHLS 0 270 - xl0
10.0.1/24 link#1 UC 0 0 - xl0
10.0.1.254 0:50:da:e3:38:6f UHL 0 2 - lo0
10.1.1.254 127.0.0.1 UGHS 0 0 - lo0
127/8 127.0.0.1 UGRS 0 0 - lo0
127.0.0.1 127.0.0.1 UH 3 14 - lo0
192.168.1/24 link#2 UC 0 0 - xl1
192.168.1.1 0:d0:b7:2e:c7:b1 UHL 0 389 - xl1
192.168.1.254 127.0.0.1 UGHS 0 6 - lo0
224/4 127.0.0.1 URS 0 0 - lo0
Encap:
Source Port Destination Port Proto
SA(Address/SPI/Proto)
0.0.0.0/32 0 192.168.0/24 0 0
10.0.0.254/fc34e1d1/50
192.168.1/24 0 192.168.0/24 0 0
10.0.0.254/fc34e1d1/50
AH, ESP and forwarding are enabled on both boxes.
If I ping 192.168.0.1 from 10.0.1.254, esp packets are sent to
192.168.0.1, and icmp echo reply is sent is clear, which is the expected
behavior whith this configuration ( no ipsec flow from 192.168.0.0 to
10.0.1.254 ).
But it doesn't work from 192.168.1.1.
The 192.168.1.254 box doesn't use ipsec and sends a host unreachable
instead.
I encounter the same behavior with the other OpenBSD box.
I've attached the isakmpd configuration files below.
Did I miss anything ?
TIA
Romain Guilleret
Visit your host, monkey.org