Hosting Provided By

Re: Behaviour of IPsec when there are two flow-pairs between same gateways?

From: Ewen McNeill <ewen(at)naos.co.nz>
Date: Mon Jan 20 2003 - 16:08:40 EST

In message <safzroqu15.fsf@gweepery.epipe.com.au>, Christopher Biggs writes:
>>[IPSec, isakmpd created tunnels, two between same source/dest pair]
>When I bring the second tunnel up, its traffic is also encrypted using

I also noticed the same behaviour, and the same issue with the Cisco refusing the incoming traffic on one or more of the incoming tunnels in this situation. (In fact one of my clients has one set of tunnels, where they can have only one of three tunnels active at any given time, if they want to be certain which one will work. Which is inconvienent because these are dev, live and failover for the same service.)

The issue is that OpenBSD is not using the right outgoing SPI for the traffic for one of the tunnels; it appears to simply use the first SPI for the traffic to that gateway. ISTR when I looked at the source (around the 3.1 days) there was a comment in the relevant file which said that finding the right SPI was non-trivial (perhaps with the current data structures?), and hence the "first match for gateway" approach was used.

OpenBSD seems to be compensatingly relaxed as to the incoming SPI for traffic for any of the tunnels -- so two OpenBSD gateways are able to run several tunnels between them without issues. However the Cisco code in particular is fussy, and wants the right SPI for the incoming traffic, and thus drops the incoming traffic (with a log message) breaking the tunnel.

As far as I'm aware the code hadn't been changed in 3.2 so the same issue presumably still exists. It would be helpful if the SPI-location code could be improved to take the tunnel traffic destination into account as well as the destination gateway.

Ewen

PS: For those following along at home: I do still plan to try building

a between-3.1-and-3.2 kernel and trying the 3C905Bs in my problematic gateway; I just haven't had time between Christmas/New Year, moving house, and so on. Received on Mon Jan 20 18:19:22 2003

Do you need help?

This message: [ Message body ]
Next message: Jason Dixon: "Re: Is There Any OpenBSD Book?"
Previous message: Jakob Schlyter: "ISC BIND 9.2.2rc1 imported"
In reply to Christopher Biggs: "Behaviour of IPsec when there are two flow-pairs between same gateways?"
Next in thread: Angelos D. Keromytis: "Re: Behaviour of IPsec when there are two flow-pairs between same gateways?"
Reply: Angelos D. Keromytis: "Re: Behaviour of IPsec when there are two flow-pairs between same gateways?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:48:28 EDT