VPN Routing Issues

From: Shane Almeida (almeida.spam.is.evil_at_spam.is.evil.mindless.com)
Date: 11/16/05 

Date: Tue, 15 Nov 2005 18:05:22 -0600

I had a VPN set up with automatic keying between two OpenBSD machines, one
running 3.7 and the other a snapshot of 3.7-current from June. The setup
was basically lifted from the vpn(8) man page and it worked fine. I just
upgraded the 3.7-current machine to 3.8, and now I'm having problems with
my VPN. Nothing was changed on the other end (still running 3.7 with same
config), and I copied all the old config files (isakmp and pf) to the new
3.8 end.

The two isakmpd daemons seem to be communicating:
18:48:04.529929 host1.isakmp > host2.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: 0808e7ce7c1bae84->5f72d182eb5b5492 msgid: 00000000 len: 228
18:48:04.546026 host2.isakmp > host1.isakmp: isakmp v1.0 exchange INFO
        cookie: 87afe5a861c374db->0000000000000000 msgid: 00000000 len: 40 [tos 0x20]

In the previous setup, I found that I had to manually create routes in
order for the gateways to be able to communicate to the remote networks.

On this end, I did this:
route -n add -net -inet 192.168.1/24 192.168.2.1

And on the other end, I did this:
route -n add -net -inet 192.168.2/24 192.168.1.1

I'm not sure if that's the proper way to do it, but it worked fine for me
for many months. After upgrading, the routing between the two ends seems broken. If I try
to ping the remote gateway from my gateway, ping just hangs. tcpdump
shows that the traffic is trying to get out the internal interface instead
of the external interface. The same thing happens from the other side.

If I remove those two routes and try to ping, I get "sendto: No route to
host" because I have a pf rule that blocks RFC 1918 traffic on the
external interface.

The man page says that netstat should show routes between the two
gateways, but my table is empty.

# netstat -rn -f encap
Routing tables

Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)

So, is the tunnel not being created? Anyone have any ideas? The verbose
output from isakmpd doesn't make sense to me, put I can provide it if it
will help.

Thanks.

Relevant Pages

  • Re: Two interfaces sharing the same IP address: how to change default routes interface on link chang
    ... I'm pretty sure I'm not the only one who wants this kind of setup. ... Recall that in BSD default routes configured statically, ... have the RTF_STATIC flg set. ... Configuring ifstated to manually replumb addresses and routes is probably an ...
    (freebsd-net)
  • Network routing issue
    ... I have two devices setup as follows: ... I thought it would be possible to correct this by specifying the host routes ... therefore stopping the internal routing from ... code change to the kernel (if it is a code change - can someone point me ...
    (Linux-Kernel)
  • howto set inet6 routes?
    ... i try to setup a small ipv6 test network. ... it seems like i am too dump to setup my routes. ... $ netstat -rn -finet6 ...
    (freebsd-stable)
  • Re: Two interfaces sharing the same IP address: how to change default routes interface on link chang
    ... I'm pretty sure I'm not the only one who wants this kind of setup. ... Recall that in BSD default routes configured statically, whether manually or by DHCP, have the RTF_STATIC flg set. ... the BSD behaviour is NOT to update the rt_ifp for an RTF_STATUC route when ifadown is called. ... Configuring ifstated to manually replumb addresses and routes is probably an easier place to start. ...
    (freebsd-net)
  • defaultrouter configuration
    ... Their default gateways have the same routes to other ... networks. ... Actually what is the correct configuration in this ...
    (SunManagers)