Openiked - Unable to ping the remote gateway

Question

I set up a tunnel ipsec with strongswan and openiked with x509 PKI. The tunnel establish correctly but I have some problems.

• The gateway with iked can not ping the local IP of router vyatta but vyatta can ping the local IP of the gateway with iked.

• The subnet 10.1.1.0/24 can not join the subnet 10.3.3.0/24 (and conversely)

Below, a schema of my configuration:

                                10.2.2.0/24               10.3.3.0/24
 +---------------+    +--------+.100   +-------+   ISP    +---------+.1
 |Private subnet +---^|  FW    +------^+ Box   +^---------+FW       |
 +---------------+   1.--------+       +-------+          +---------+
  10.1.1.0/24           Strongswan        NAT              OpenBSD (iked)
                        vyatta

My iked.conf:

ikev2 "site2" passive esp \
    from 10.3.3.1 to 10.2.2.100 \
    from 10.3.3.0/24 to 10.1.1.0/24 \
    peer any local any \
    srcid iked.example.com dstid vyatta.example.com \
    #ikesa auth hmac-sha2-256 enc aes-256-ctr group modp2048 \
    childsa auth hmac-sha2-512 enc aes-256-ctr group modp2048 \
    tag "$name-$id"

My ipsec.conf (strongswan):

conn site1
    keyexchange=ikev2
    dpddelay=5s
    dpdtimeout=60s
    dpdaction=restart

    left=%defaultroute
    leftcert=vyatta.crt.pem
    leftsubnet=10.1.1.0/24,10.2.2.100
    leftfirewall=yes
    leftid="vyatta.example.com"

    right=10.3.3.1
    rightsubnet=10.3.3.0/24
    rightid="iked.example.com"

    auto=start

But, when I add these two routes on my iked gateway, everything is working:

route add -inet 10.2.2.100 -llinfo -link -static -iface vmx1
route add -inet 10.1.1.0/24 10.2.2.100

except for one thing. When I made a redirection rdr-to and nat-to combination from my packet filter, it did not work. The packet is correctly redirected toward a server on 10.1.1.0/24 subnet and the src ip is natted (snat is 10.3.3.1). I noticed that openbsd did not forward because it request a arp address for 10.2.2.100, what I don't understand. So I have no idea why the packet is not encapsulated in the tunnel, I see nothing when I do "tcpdump enc0".

So, I have two questions:

• Why my iked gateway can not ping vyatta gateway without route? Is there something missing on my configuration file (iked.conf)?
• Why openbsd made a arp request instead of redirect the packet in enc0?

Answer 1

This question's a few months old, so you've probably long-since figured out your issue. And this likely doesn't answer your question, anyway. But I notice that you've commented out the ikesa option in your iked.conf file. I just found out (the hard way) that everything following the comment won't evaluate. So if you're using pf to refer to your $name-$id tag, it won't evaluate correctly, because iked is never interpreting this option. Same for your childsa, if that's of importance to your setup.