On 2018-01-28, Daniel Ramos <dan...@ramos.id.au> wrote:
> This is a multi-part message in MIME format.
> --------------20CEEB9B40C0DB09C5429C35
> Content-Type: text/plain; charset=utf-8; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Hi misc,
>
> I've been beating my head against the wall on and off for the last few
> weeks - it's past time to ask for help.
>
> I'm trying to tunnel all internet traffic from my internal network
> (192.168.2.0/24) through another internet-facing machine (10.1.1.0/24)
> using IKEv2. After trying what seems to be every possibility of pf.conf
> and iked.conf combinations, I just can't seem to get it right. My
> closest attempt is to NAT all traffic from 192.168.2.0/24 to appear as
> virtual IP 10.1.1.2 on the other side, which is then NAT'd out to the
> internet as usual. The problem with this config is that ALL traffic,
> including local traffic to 192.168.2.0/24, is tunneled. This is not
> desired because I can no longer access my local gateway (192.168.2.1),
> or any locally hosted services.
>
> What I think I need is to be able to specify something like "from
> 10.1.1.2 (192.168.2.0/24) to !192.168.2.0/24" instead of "...to
> 0.0.0.0/0" in my iked.conf, but this doesn't seem to be valid syntax.
> Nor does limiting the tunnel to certain protos/ports, e.g. ... proto {
> tcp udp } ... port { 53 80 443 }. It seems only one proto and port
> combination is accepted by iked. I tried adding additional flows
> manually - i.e. specifying only proto tcp ... port 80 in iked.conf and
> feeding a file of additional flows via ipsecctl -F, but I receive errors
> about bad syntax - even though I copied the lines from ipsecctl -sa. It
> looks like only IKEv1 syntax is accepted there?
What you need is a "bypass flow", I don't think it can be done from
iked.conf but you can try this in ipsec.conf (adapt addresses as needed):
flow from 192.168.46.48/28 to 192.168.46.48/28 type bypass
ipsecctl -f /etc/ipsec.conf to load it at runtime, ipsec=YES in
rc.conf.local to load at boot.
Please follow-up to confirm whether it works for the archive, I've only
done this combined with IKEv1 but I don't see a reason why it wouldn't work.
