-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEl5evOTfnjZdhkBzKaPxTRM3nQSAFAl+b48EACgkQaPxTRM3n
QSCXeg//WDL/GvvMTXRxtV3BCwDpFTZW2YycVrDr6qkGE1XNhIVIwosvrPhk//yi
MQ7MjA0cUctG6vCOM1dppKy9OXVznID85SrqigfRpfVvpRJpWtY4Dv/5BK8tSDlW
FfoCBCnYzEkmRa7d9LPuPSRJ+w0VLxCfLj7eyyFcsRNsHQTGABbIVADXFhGK8o6k
miSve9HlA30uE2i33dYWJJw/qIoHCnsBuTesjwpoKME3UYmTbX+kmVsYbDI+6Ykt
k117iepXJWq07OwJtrZeSVlP+ESc1QF8v2FNtyUQAmlN3lbo2IlSkHh2a2p3apcz
PXVxFrLkFjSrCgG3dsCWmeHuW+ts+qAC1CEfQrctP8f1jMYewBh/670K0pqaylQV
NMPHs+SkOriAMooJyQ357q3lIYDUbMcrVcAYAs73ZL743PeODufea3dy70AOnsQb
hynV1ECg1x9ZPQL1SUQDNqFtifI/PQnuhjw/qS6QU+TcXBXHEqE3IkrR8/Nj27yV
WtHJn8lZDrQpJul139chdXtuM2wRKHn51T1Gyxy4GLYKoSNripV+xajBl1O4UtWZ
+JeG0IcW8et+8mWkRXs9y2XPICdnoD2O7IAkYKaLf5Gdky3QFleAT/txk/FE3Hgu
M5E4J6wBmDZPt2q3twN38ouVgfdreKygxjLWEY/A0IMk8dPvlCw=
=o3bq
-----END PGP SIGNATURE-----
Hi all,
I have 3 firewalls, all running OpenBSD 6.7, 2 are IPsec-clients one is the server.
After installing (unrelated?) syspatches (67-19, 67-20, 67-23 und 67-24) on the server and rebooting it after 2 months of uptime, I noticed, that routing between VPNs has been broken:
fw1# ipsecctl -s all
FLOWS:
flow esp in from 91.?.?.128/25 to 0.0.0.0/0 peer 80.?.?.? srcid fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.220.0/22 to 91.?.?.0/25 peer 80.?.?.? srcid fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.220.0/22 to 192.168.230.0/23 peer 80.?.?.? srcid fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.230.0/23 to 192.168.220.0/22 peer 217.?.?.? srcid fw.bu.some.domain dstid router.nussberg.de type require
flow esp out from 0.0.0.0/0 to 91.?.?.128/25 peer 80.?.?.? srcid fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp out from 91.?.?.0/25 to 192.168.220.0/22 peer 80.?.?.? srcid fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp out from 192.168.220.0/22 to 192.168.230.0/23 peer 217.?.?.? srcid fw.bu.some.domain dstid router.nussberg.de type require
flow esp out from 192.168.230.0/23 to 192.168.220.0/22 peer 80.?.?.? srcid fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 2a05:?:?:10::/60 to 2000::/3 peer 80.?.?.? srcid fw.bu.some.domain dstid gw.mu.some.domain type require
On the server, when I ping one client, it tries to bypass the IPsec flow and gos out upstream, which is blocked by pf.
It seems, routing continues to work between one client side and net on the server after re-keying if there exist tcp connections between the nets.
On the other client side, often the VPN is idle und routing gets lost, even if tried to work around with a host route.
I refused to use routing protocols in the past, because I dont't like them on the firewall.
What is the recommended reliable solution for this scenario? ospf?
Any help very appreciated,
Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
No comments:
Post a Comment