Tuesday, June 01, 2021

Re: after upgrade to 6.9, iked does not pass traffic

On Mon, May 31, 2021 at 02:31:22PM +0000, Leclerc, Sebastien wrote:
> > > > If that doesn't help you could share the output of 'ipsecctl -sa' to find
> > > > out if the IPsec SAs or flows are the problem.
> > >
> > > That may be the problem, there is nothing between 192.168.1.109 and 192.168.9.101 :
> > > (192.168.8.2 is the firewall interface that 192.168.1.109 is connecting to,
> > > 192.168.9.101 is what the vpn client is trying to communicate with)
> > >
> > > # ipsecctl -sa
> > > FLOWS:
> > > No flows
> > >
> > > SAD:
> > > esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x0e7b0e8b auth hmac-sha1 enc aes-256
> > > esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6830eab4 auth hmac-sha1 enc aes-256
>
> > Ok, so this seems to be the cause. From your log snippet i can see that
> > there must have been SAs at some point because it shows an
> > "ikev2_childsa_enable" line.
> > Try running iked with -vv. Maybe the verbose log contains an error message
> > that helps us find out what's wrong.
>
> The SAs seem to be only the first "from" clause (from 192.168.8.2 to 192.168.1.109), which are the VPN endpoints, not the second one, which covers the network behind the OpenBSD machine, and the IP assigned to the Windows machine in this same subnet (arp-proxied).

The SAs are ok but the flows are not loaded correctly. Looks like it is an
actual bug in 6.9. It is triggered by the 'config address' line in your
configuration, so working around that one line would be one solution.

The diff below should also fix your problem and allow you to keep your config
unchanged.

Index: ikev2.c
===================================================================
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.319
diff -u -p -r1.319 ikev2.c
--- ikev2.c 23 Mar 2021 21:31:29 -0000 1.319
+++ ikev2.c 1 Jun 2021 09:27:08 -0000
@@ -7062,7 +7062,7 @@ ikev2_cp_fixaddr(struct iked_sa *sa, str
naddr = (sa->sa_cp == IKEV2_CP_REQUEST) ?
sa->sa_addrpool : sa->sa_cp_addr;
if (naddr == NULL)
- return (-1);
+ return (-2);
in4 = (struct sockaddr_in *)&addr->addr;
if (in4->sin_addr.s_addr)
return (-2);
@@ -7074,7 +7074,7 @@ ikev2_cp_fixaddr(struct iked_sa *sa, str
naddr = (sa->sa_cp == IKEV2_CP_REQUEST) ?
sa->sa_addrpool6 : sa->sa_cp_addr6;
if (naddr == NULL)
- return (-1);
+ return (-2);
in6 = (struct sockaddr_in6 *)&addr->addr;
if (!IN6_IS_ADDR_UNSPECIFIED(&in6->sin6_addr))
return (-2);

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)