VPN Routing Issues - BSD

This is a discussion on VPN Routing Issues - BSD ; I had a VPN set up with automatic keying between two OpenBSD machines, one running 3.7 and the other a snapshot of 3.7-current from June. The setup was basically lifted from the vpn(8) man page and it worked fine. I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: VPN Routing Issues

  1. VPN Routing Issues

    I had a VPN set up with automatic keying between two OpenBSD machines, one
    running 3.7 and the other a snapshot of 3.7-current from June. The setup
    was basically lifted from the vpn(8) man page and it worked fine. I just
    upgraded the 3.7-current machine to 3.8, and now I'm having problems with
    my VPN. Nothing was changed on the other end (still running 3.7 with same
    config), and I copied all the old config files (isakmp and pf) to the new
    3.8 end.

    The two isakmpd daemons seem to be communicating:
    18:48:04.529929 host1.isakmp > host2.isakmp: isakmp v1.0 exchange ID_PROT
    cookie: 0808e7ce7c1bae84->5f72d182eb5b5492 msgid: 00000000 len: 228
    18:48:04.546026 host2.isakmp > host1.isakmp: isakmp v1.0 exchange INFO
    cookie: 87afe5a861c374db->0000000000000000 msgid: 00000000 len: 40 [tos 0x20]

    In the previous setup, I found that I had to manually create routes in
    order for the gateways to be able to communicate to the remote networks.

    On this end, I did this:
    route -n add -net -inet 192.168.1/24 192.168.2.1

    And on the other end, I did this:
    route -n add -net -inet 192.168.2/24 192.168.1.1

    I'm not sure if that's the proper way to do it, but it worked fine for me
    for many months. After upgrading, the routing between the two ends seems broken. If I try
    to ping the remote gateway from my gateway, ping just hangs. tcpdump
    shows that the traffic is trying to get out the internal interface instead
    of the external interface. The same thing happens from the other side.

    If I remove those two routes and try to ping, I get "sendto: No route to
    host" because I have a pf rule that blocks RFC 1918 traffic on the
    external interface.

    The man page says that netstat should show routes between the two
    gateways, but my table is empty.

    # netstat -rn -f encap
    Routing tables

    Encap:
    Source Port Destination Port Proto SA(Address/Proto/Type/Direction)


    So, is the tunnel not being created? Anyone have any ideas? The verbose
    output from isakmpd doesn't make sense to me, put I can provide it if it
    will help.

    Thanks.

  2. Re: VPN Routing Issues

    On Tue, 15 Nov 2005 18:05:22 -0600, Shane Almeida wrote:
    > I had a VPN set up with automatic keying between two OpenBSD machines, one
    > running 3.7 and the other a snapshot of 3.7-current from June. The setup
    > was basically lifted from the vpn(8) man page and it worked fine. I just
    > upgraded the 3.7-current machine to 3.8, and now I'm having problems with
    > my VPN. Nothing was changed on the other end (still running 3.7 with same
    > config), and I copied all the old config files (isakmp and pf) to the new
    > 3.8 end.


    I should have looked at the logs on the other end more closely.
    /var/log/daemon had messages things that led me to this thread:
    http://marc.theaimsgroup.com/?t=113112672200006&r=1&w=2

    It turns out the problem is the new NAT traversal feature of isakmpd in
    3.8. Disabling that (with the -T switch) on the 3.8 side solved my
    problems. I guess this was fixed in 3.7-stable too, so upgrading to
    -stable on the other side would fix it too.

+ Reply to Thread