DaemonForums - View Single Post

da1 · #1 **(View Single Post)** 1st October 2016

Hello everyone,

I'm struggling with this for too long and I need some help. The idea is to create an ipsec tunnel between 2 fw's, both running OpenBSD 6.0 amd64. Behind each fw, there is a small, class C network.

Here is the configuration I have so far:

- enc0 up on both fw's

fw1/fw2 pf.conf (broad rules for testing):

Code:

### Scrub              >>> The first matching rule wins <<<
match log on {$ext_if} all scrub (max-mss 1440 reassemble tcp) label "scrub"

### NAT & RDR           >>> The first matching rule wins <<<
match out log on {$ext_if} inet from !($ext_if:network) to any nat-to ($ext_if) label "NAT"

set skip on enc0

block in log on $ext_if proto { tcp, udp, icmp } all label "EXT_IF block in"
pass in log on $int_if all label "INT_IF pass in"
pass out log label "DEF_PASS_OUT"

pass in log on {$ext_if} proto udp from any to any port { 500 4500 }
pass in log on {$ext_if} proto esp from any to any

fw1 ipsec.conf:

Code:

my_gw="<ext_ip_fw1>"
my_net="192.168.1.0/24"
gw2_gw="<ext_ip_fw2>"
gw2_net="192.168.2.0/24"

# me->gw2
ike esp from $my_gw to $gw2_gw peer $gw2_gw psk supersecretpsk
ike esp from $my_gw to $gw2_net peer $gw2_gw psk supersecretpsk
ike esp from $my_net to $gw2_net peer $gw2_gw psk supersecretpsk

fw2 ipsec.conf:

Code:

my_gw="<ext_ip_fw2>"
my_net="192.168.2.0/24"
gw1_gw="<ext_ip_fw1>"
gw1_net="192.168.1.0/24"

# me->gw1
ike esp from $my_gw to $gw1_gw peer $gw1_gw psk supersecretpsk
ike esp from $my_gw to $gw1_net peer $gw1_gw psk supersecretpsk
ike esp from $my_net to $gw1_net peer $gw1_gw psk supersecretpsk

I can ping and reach via ssh each fw, from the opposite one but I cannot reach the internal IP of the fw nor the network behind it.

fw1 ipsecctl -sa:

Code:

FLOWS:
flow esp in from <ext_ip_fw2> to 192.168.1.0/24 peer <ext_ip_fw2> srcid <ext_ip_fw1>/32 dstid <ext_ip_fw2>/32 type use
flow esp out from 192.168.1.0/24 to <ext_ip_fw2> peer <ext_ip_fw2> srcid <ext_ip_fw1>/32 dstid <ext_ip_fw2>/32 type require
flow esp in from 192.168.2.0/24 to 192.168.1.0/24 peer <ext_ip_fw2> srcid <ext_ip_fw1>/32 dstid <ext_ip_fw2>/32 type use
flow esp out from 192.168.1.0/24 to 192.168.2.0/24 peer <ext_ip_fw2> srcid <ext_ip_fw1>/32 dstid <ext_ip_fw2>/32 type require
flow esp in from <ext_ip_fw2> to <ext_ip_fw1> peer <ext_ip_fw2> srcid <ext_ip_fw1>/32 dstid <ext_ip_fw2>/32 type use
flow esp out from <ext_ip_fw1> to <ext_ip_fw2> peer <ext_ip_fw2> srcid <ext_ip_fw1>/32 dstid <ext_ip_fw2>/32 type require
flow esp in from 192.168.2.0/24 to <ext_ip_fw1> peer <ext_ip_fw2> srcid <ext_ip_fw1>/32 dstid <ext_ip_fw2>/32 type use
flow esp out from <ext_ip_fw1> to 192.168.2.0/24 peer <ext_ip_fw2> srcid <ext_ip_fw1>/32 dstid <ext_ip_fw2>/32 type require

SAD:
esp tunnel from <ext_ip_fw1> to <ext_ip_fw2> spi 0x04480ae2 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw2> to <ext_ip_fw1> spi 0x2162a278 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw1> to <ext_ip_fw2> spi 0x28b321f0 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw1> to <ext_ip_fw2> spi 0x54f28ab7 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw2> to <ext_ip_fw1> spi 0x70d1b971 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw1> to <ext_ip_fw2> spi 0xc4959ca0 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw2> to <ext_ip_fw1> spi 0xe053b336 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw2> to <ext_ip_fw1> spi 0xe950c9d7 auth hmac-sha2-256 enc aes

fw2 ipsecctl -sa:

Code:

FLOWS:
flow esp in from 192.168.1.0/24 to <ext_ip_fw2> peer <ext_ip_fw1> srcid <ext_ip_fw2>/32 dstid <ext_ip_fw1>/32 type use
flow esp out from <ext_ip_fw2> to 192.168.1.0/24 peer <ext_ip_fw1> srcid <ext_ip_fw2>/32 dstid <ext_ip_fw1>/32 type require
flow esp in from 192.168.1.0/24 to 192.168.2.0/24 peer <ext_ip_fw1> srcid <ext_ip_fw2>/32 dstid <ext_ip_fw1>/32 type use
flow esp out from 192.168.2.0/24 to 192.168.1.0/24 peer <ext_ip_fw1> srcid <ext_ip_fw2>/32 dstid <ext_ip_fw1>/32 type require
flow esp in from <ext_ip_fw1> to <ext_ip_fw2> peer <ext_ip_fw1> srcid <ext_ip_fw2>/32 dstid <ext_ip_fw1>/32 type use
flow esp out from <ext_ip_fw2> to <ext_ip_fw1> peer <ext_ip_fw1> srcid <ext_ip_fw2>/32 dstid <ext_ip_fw1>/32 type require
flow esp in from <ext_ip_fw1> to 192.168.2.0/24 peer <ext_ip_fw1> srcid <ext_ip_fw2>/32 dstid <ext_ip_fw1>/32 type use
flow esp out from 192.168.2.0/24 to <ext_ip_fw1> peer <ext_ip_fw1> srcid <ext_ip_fw2>/32 dstid <ext_ip_fw1>/32 type require

SAD:
esp tunnel from <ext_ip_fw1> to <ext_ip_fw2> spi 0x04480ae2 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw2> to <ext_ip_fw1> spi 0x2162a278 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw1> to <ext_ip_fw2> spi 0x28b321f0 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw1> to <ext_ip_fw2> spi 0x54f28ab7 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw2> to <ext_ip_fw1> spi 0x70d1b971 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw1> to <ext_ip_fw2> spi 0xc4959ca0 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw2> to <ext_ip_fw1> spi 0xe053b336 auth hmac-sha2-256 enc aes
esp tunnel from <ext_ip_fw2> to <ext_ip_fw1> spi 0xe950c9d7 auth hmac-sha2-256 enc aes

Errors on fw1:

Code:

162458.953755 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id <ext_ip_fw2>, responder id <ext_ip_fw1>
162458.953798 Default dropped message from <ext_ip_fw2> port 500 due to notification type INVALID_ID_INFORMATION
162458.954654 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id <ext_ip_fw2>, responder id 192.168.1.0/255.255.255.0
162458.954665 Default dropped message from <ext_ip_fw2> port 500 due to notification type INVALID_ID_INFORMATION
162458.956722 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.2.0/255.255.255.0, responder id 192.168.1.0/255.255.255.0
162458.956738 Default dropped message from <ext_ip_fw2> port 500 due to notification type INVALID_ID_INFORMATION
162505.956914 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute
162505.956933 Default dropped message from <ext_ip_fw2> port 500 due to notification type NO_PROPOSAL_CHOSEN
162505.994418 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute
162505.994430 Default dropped message from <ext_ip_fw2> port 500 due to notification type NO_PROPOSAL_CHOSEN
162506.104367 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute
162506.104379 Default dropped message from <ext_ip_fw2> port 500 due to notification type NO_PROPOSAL_CHOSEN
162533.124444 Default transport_send_messages: giving up on exchange from-192.168.1.0/24-to-192.168.2.0/24, no response from peer <ext_ip_fw2>:500
162533.124476 Default transport_send_messages: giving up on exchange from-<ext_ip_fw1>-to-<ext_ip_fw2>, no response from peer <ext_ip_fw2>:500
162533.174432 Default transport_send_messages: giving up on exchange from-192.168.1.0/24-to-192.168.2.0/24, no response from peer <ext_ip_fw2>:500

errors on fw2:

Code:

162506.032804 Default message_parse_payloads: invalid next payload type <Unknown 52> in payload of type 3
162506.032837 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162506.069356 Default message_parse_payloads: invalid next payload type <Unknown 41> in payload of type 3
162506.069363 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162506.142852 Default message_parse_payloads: invalid next payload type <Unknown 80> in payload of type 3
162506.142860 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162513.063324 Default message_parse_payloads: invalid next payload type <Unknown 52> in payload of type 3
162513.063344 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162513.083365 Default message_parse_payloads: invalid next payload type <Unknown 41> in payload of type 3
162513.083372 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162513.153363 Default message_parse_payloads: invalid next payload type <Unknown 80> in payload of type 3
162513.153371 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162522.092195 Default message_parse_payloads: invalid next payload type <Unknown 52> in payload of type 3
162522.092202 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162522.092379 Default message_parse_payloads: invalid next payload type <Unknown 41> in payload of type 3
162522.092386 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162522.162539 Default message_parse_payloads: invalid next payload type <Unknown 80> in payload of type 3
162522.162548 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162533.125326 Default message_parse_payloads: invalid next payload type <Unknown 52> in payload of type 3
162533.125335 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162533.125499 Default message_parse_payloads: invalid next payload type <Unknown 41> in payload of type 3
162533.125505 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE
162533.175514 Default message_parse_payloads: invalid next payload type <Unknown 80> in payload of type 3
162533.175523 Default dropped message from <ext_ip_fw1> port 500 due to notification type INVALID_PAYLOAD_TYPE

Any help would be appreciated.