Re: OpenBSD blocks IPsec traffic

Wed, 18 Apr 2018 06:17:53 -0700 

On Wed, 18 Apr 2018 15:01:24 +0200
"C. L. Martinez" <carlopm...@gmail.com> wrote:

> Hi all,
> 
>  I am trying to configure an ipsec tunnel (host-to-host) between two
> hosts that go through an openbsd firewall. Tunnel is established, but
> when I try to, for example, connect via ssh from one host to the
> other, pf blocks traffic:
> 
> Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> 
>  To do some tests, I have configured the following rules:
> 
> pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
> (if-bound)
> pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
> (if-bound)
> 
> Any idea?

Hard to say without complete ruleset, but from what I see here, your
rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0,
while no other rule after that (or one before that with 'quick'
keyword) permits it.

Check exact line with pfctl -vvsr. Add either dafault 'pass out'
somewhere below (I prefer it at the end of my ruleset, as I have so far
never blocked out stuff I already passed in), or pass out exact traffic
you need, eg:

pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2

Hope this helps,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Reply via email to