> On Dec 3, 2018, at 12:18 PM, Rachel Roch <rroch@tutanota.de> wrote:
>
> I hope someone here can shed light on an infuriating problem I've spent a week trying to resolve without luck.
>
> The problem concerns an IKED site-to-site VPN on OpenBSD 6.3 (both endpoints fully syspatched).
>
> The VPN worked absolutely perfectly until it suddenly started behaving strangely. Seriously, I'm talking about "pass any traffic you can think of", then I go on holiday for a week (nobody else has physical or remote access to the machines, and I did not connect on holiday), then this behaviour starts.
>
> Basically the behaviour I am seeing is that anything that uses TLS is no longer able to connect (or at least gets no further than trying to do a TLS handshake, e.g. Firefox hangs showing "performing TLS handshake..." at the bottom of the screen), so that means:
>
> - HTTPS websites
> - VoIP
> - IMAP over TLS
> - RDP over TLS
>
> Are all broken on the VPN, but all TLS-based services continue to work perfectly off-site (or when the site-to-site VPN is bypassed with a third-party VPN). This impacts multiple servers and multiple clients, so its not just one server or one desktop PC, its anything that tries to talk TLS over that VPN !
>
>
> However:
> - Ping (including large packet size, e.g. "-s 1600")
> - SSH
> - DNS
> - Anything else you care to name that doesn't use TLS
>
> All continue to work perfectly over the VPN.
>
> My PF rules (which cannot possibly be the problem, because they have not changed a single bit between "working" and "not working) don't even differentiate between traffic types, so it can't be some sudden PF oddity :
>
> pass in on enc from <remote_vpnets> to <local_vpnets> keep state (if-bound) $midPriority
> pass out on enc from <ocal_vpnets> to <remote_vpnets> keep state (if-bound) $midPriority
>
> Similarly, my IKED config is also completely unchanged between "working" and "not working", and ipsecctl -sa continues to show everything correctly established
>
> ikev2 "to remote" active esp from $a_net to $b_net\
> local $local_ext peer $remote_ext \
> ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519 \
> childsa enc chacha20-poly1305 group curve25519 \
> srcid $local_ext dstid $remote_ext \
> ikelifetime 4h lifetime 3h bytes 512M \
> ecdsa384
>
>
> This whole thing is just driving me crazy !
>
Rachel,
As a first step, try using s_client to connect to a TLS service and see what comes back:
$ openssl s_client -connect <hostname>:<port> -showcerts
There are more possible options on s_client to debug more deeply but this is a good start.
--Paul
No comments:
Post a Comment