Subject: IPSEC (sometimes) not tunneling tcp SYN-ACKs
To: None <netbsd-users@netbsd.org>
From: Christoph Kaegi <kgc@zhwin.ch>
List: netbsd-users
Date: 06/04/2003 07:46:25
I have a problem as follows:

There are two  NetBSD machines running an ipsec tunnel over the internet
(Both netbsd-1-6 as of yesterday).
Basically the setup works, traffic is encrypted and shows up as
ESP packets on tcpdump.

I have configured ipf to pass ESP Protocol in and out between these
two machines.

But suddenly, (after some amount of time or bytes) when I try to
ssh from one to the other machine or when trying to send mail,
the SYN-ACK reply of the responding machine gets blocked by its
ipfilter:

-------------------------------------- 8< --------------------------------------
Jun  4 07:30:56 myhost ipmon[102]: 07:30:55.845560 fxp1 @0:14 b 1.2.3.4,25 -> 5.6.7.8,65519 PR tcp len 20 60 -AS 78085031 800560009 16384 OUT
-------------------------------------- 8< --------------------------------------

Running /etc/rc.d/ipsec reload on that machines cures the problem.

ipsec.conf looks like this:

machine1:
-------------------------------------- 8< --------------------------------------
# Add SA's
add 1.2.3.4 5.6.7.8 esp 25252 -E rijndael-cbc "SomeRandom32ByteSecretKeyxxxxxxx";
add 5.6.7.8 1.2.3.4 esp 18181 -E rijndael-cbc "SomeRandom32ByteSecretKeyyyyyyyy";

# Add SP entries:
spdadd 1.2.3.4/32 5.6.7.8/32 any -P out ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
spdadd 5.6.7.8/32 1.2.3.4/32 any -P in ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P out none;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P in  none;
-------------------------------------- 8< --------------------------------------

machine2:
-------------------------------------- 8< --------------------------------------
# Add SA's
add 1.2.3.4 5.6.7.8 esp 25252 -E rijndael-cbc "SomeRandom32ByteSecretKeyxxxxxxx";
add 5.6.7.8 1.2.3.4 esp 18181 -E rijndael-cbc "SomeRandom32ByteSecretKeyyyyyyyy";

# Add SP entries:
spdadd 5.6.7.8/32 1.2.3.4/32 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
spdadd 1.2.3.4/32 5.6.7.8/32 any -P in  ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P out none;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P in  none;
-------------------------------------- 8< --------------------------------------

Is this a bug in the ipsec code or did I do something wrong?

Thanks in advance

Chris

-- 
----------------------------------------------------------------------
Christoph Kaegi                                           kgc@zhwin.ch
----------------------------------------------------------------------