[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd and 0/0 SA strangeness



minor correction after i have checked all things twice.


i can see encapsulated packets on enc0

20:54:35.467523 (authentic,confidential): SPI 0x25779ded: 10.0.2.1 > 10.0.2.1:
icmp: echo request (encap)

and so on...

but i still no explanation why kernel encapsulates packets for which i have
specific route in the routing table.

maybe packets from local addresses getting processed by ipsec before
routing table lookup?

i know, what pf's routing code works before routing table lookup. so i
have tried this

pass out quick route-to (fxp1 10.0.2.1) inet from 10.0.2.0/24 to 10.0.2.0/24

and got normal icmp echo request on fxp1

21.17:02.935656 10.0.2.1 > 10.0.2.1: icmp: echo request


after killing isakmpd and ipsecadm flush (0/0 SA removed) box shows normal
behaviour: it normally pings itself (ping 10.0.2.1).

>  we have one 3.4-stable router (router A) with primitive ipsec setup.
>  so router have
> 
>  10.0.1.0/24  0  10.0.2.0/24  0  0  yyy.yyy.yyy.yyy/50/use/in
>  10.0.2.0/24  0  10.0.1.0/24  0  0  yyy.yyy.yyy.yyy/50/require/out
> 
>  in SA table. router A interconnects with other router (router B) which
>  serves 10.0.1.0/24 subnet.
> 
>  also router A serves 10.0.2.0/24 subnet (dhcpd and other) and have
>  10.0.2.1 on internal interface.
> 
>  
>      10.0.1.0/24 lan
>             |
>     internal 10.0.1.1 (fxp1)
>  +----------------------+
>  |      router B        |
>  +----------------------+
>  external yyy.yyy.yyy.yyy (fxp0)
>             |
>             |
>  external xxx.xxx.xxx.xxx (fxp0)
>  +----------------------+
>  |      router A        |
>  +----------------------+
>     internal 10.0.2.1 (fxp1)
>             |
>      10.0.2.0/24 lan
> 
> 
>  we can provide isakmpd.conf, but everyone, who uses isakpmd, should know
>  how sample setup looks like :) our setup is nearly the same.
> 
>  tunnel had worked flawlessly for about 2 years, but recently we
>  decided to change setup and allow to pass traffic from 10.0.2.0/24
>  subnet not only to 10.0.1.0/24, but to 0/0. we have changed isakmpd
>  setup and make default route to interface, which encapsulates traffic
>  for 0/0 destination. so we got the following SA table on the router A.
> 
>  0/0  0  10.0.2.0/24  0  0  yyy.yyy.yyy.yyy/50/use/in
>  10.0.2.0/24  0  0/0  0  0  yyy.yyy.yyy.yyy/50/require/out
>  
>  everything is working fine, except connections within 10.0.2.0/24
>  subnet (for example, from router A itself, 10.0.2.1, to some box in
>  10.0.2.0/24, 10.0.2.2), so ping 10.0.2.2 from router A do not work.
> 
>  as we see "10.0.2.0/24  0  0/0  0  0  yyy.yyy.yyy.yyy/50/require/out"
>  SA matches these connections, but how kernel might encapsulate these
>  packets without need to route them through the gif interface?
> 
>  to check encapsulation occurrence we have tcpdump'ed on enc0 and got
>  no packets which looks like 10.0.2.1->10.0.2.2. coupled with this, we
>  have see no such packets on A router's fxp1 (10.0.2.1).
> 
>  i have tried -current - same effect: kernel eats every packet, if
>  "out SA"'s destination matches packet's destination even if should be
>  routed through fxp1 (10.0.2.1).
> 
>  pf disabled, forwarding enabled.
> 
>  any ideas?



Visit your host, monkey.org