IPsec on enc0: icmp echo requests not decrypted?
(too old to reply)
Johan Hattne
2018-04-11 18:48:52 UTC
Dear all;

I’m trying to set up IPSec between two hosts; for now I’m not worrying about any networks these hosts might be gatewaying. The OpenBSD 6.2 host at a.a.a.a runs on an old SGI machine and has /etc/ipsec.conf:

ike esp tunnel from a.a.a.a to b.b.b.b local a.a.a.a peer b.b.b.b psk my_secret

The other end is a Linux host running racoon. The tunnel is established, and when pinging from b.b.b.b to a.a.a.a, I can see the packets with tcpdump:

$ tcpdump -nlp -i fxp0 -s 1500 | grep b.b.b.b
tcpdump: listening on fxp0, link-type EN10MB
00:21:58.808868 esp b.b.b.b > a.a.a.a spi 0x01256dc7 seq 280 len 132 (DF) [tos 0x28]

I can also decrypt the packets. However, nothing shows up on enc0 ("tcpdump -nlp -i enc0 -s 1500" is silent) and consequently, there is no reply to the echo request. pf is involved, but it has

set skip on enc0
pass in on fxp0 proto udp from b.b.b.b to a.a.a.a port {500, 4500}
pass out on fxp0 proto udp from a.a.a.a to b.b.b.b port {500, 4500}

pass in on fxp0 proto esp from b.b.b.b to a.a.a.a
pass out on fxp0 proto esp from a.a.a.a to b.b.b.b

pass in on enc0 proto ipencap from b.b.b.b to a.a.a.a keep state (if-bound)
pass out on enc0 proto ipencap from a.a.a.a to b.b.b.b keep state (if-bound)

I don’t know where to look next. Hints?

// Best wishes; Johan