Hello,
I have working ikev2 tunnel between two virtual aliased subnets. But no
traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
client machine and vice-versa. Both machines are using in production and
firewalled by PF.
------------------------
# cat /etc/hostname.em1
### server $ext_if
dhcp
alias 192.168.5.1
255.255.255.0
------------------------
|
| IPsec
|
------------------------
# cat /etc/hostname.axen0
### client $ext_if
dhcp
alias 192.168.6.1
255.255.255.0
------------------------
I can ping each 'end' of IPsec virtual subnets from both side of tunnel
(after IP assigned to both gateways by ISP's dhcp), but no traffic though.
server# ping 192.168.6.1
64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
...
clielnt# ping 192.168.5.1
64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
...
The final goal is: All incoming traffic on server's $ext_if = "em1" for
selected ports 25, 443, 465, 993 etc. must be redirected from aliased
server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
aliased client's IP:192.168.6.1. So client can reply to incoming
connections to remote server's via IPsec lan.
No routing is needed between server's / client's 'real' private LANs.
Because of that I've decided to use aliased virtual lans for IPsec
tunneling. But I'm not sure about correctness of this.
server# cat /etc/iked.conf
gw_ip = "em1"
local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
which obtain an address from dhcp
remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
which obtain an address from dhcp too.
mode = "passive"
ikev2 "pki-srv" $mode ipcomp esp \
from $local_lan to $remote_lan \
local $gw_ip peer any \
srcid srv-pubkey dstid clnt-pubkey \
tag "srv.tld.ipsec"
tap "enc0"
server# cat /etc/pf.conf
...
ext_if = em1
ipsec_if = em1
ipsec_enc_if = enc0
ipsec_local_lan = "192.168.5.0/24"
ipsec_remote_lan = "192.168.6.0/24"
...
queue rootq on $ext_if bandwidth 100M max 100M
queue ipsec parent rootq bandwidth 90M min 70M max 100M
queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
queue bulk parent rootq bandwidth 10M default
...
block on $ext_if all
block on $ipsec_enc_if all
...
# --- IPsec
pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
{isakmp, ipsec-nat-t}
pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
{isakmp, ipsec-nat-t} keep state
pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
keep state set queue ipsec
pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
keep state (if-bound)
pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
keep state (if-bound)
pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
$ipsec_local_lan keep state (if-bound)
pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
$ipsec_remote_lan keep state (if-bound)
...
client# cat /etc/iked.conf
gw_ip = "axen0"
local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
which obtain an address from dhcp
remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \
which obtain an address from dhcp
srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp
mode = "active"
ikev2 "pki-clnt" $mode ipcomp esp \
from $local_lan to $remote_lan \
local $gw_ip to $srv_ip \
crcid clnt-pubkey dstid srv-pubkey \
tag "clnt.tld.ipsec"
tap "em0"
client# cat /etc/pf.conf
...
ext_if = axen0
ipsec_if = axen0
ipsec_enc_if = enc0
ipsec_local_lan = "192.168.6.0/24"
ipsec_remote_lan = "192.168.5.0/24"
...
queue rootq on $ext_if bandwidth 100M max 100M
queue ipsec parent rootq bandwidth 90M min 70M max 100M
queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
queue bulk parent rootq bandwidth 10M default
...
block on $ext_if all
block on $ipsec_enc_if all
...
# --- IPsec
pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
{isakmp, ipsec-nat-t}
pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
{isakmp, ipsec-nat-t} keep state
pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
keep state set queue ipsec
pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users
pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
keep state (if-bound)
pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
keep state (if-bound)
pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
$ipsec_local_lan keep state (if-bound)
pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
$ipsec_remote_lan keep state (if-bound)
...
I think it can be something wrong in PF configuration or
missed/unfinished touching IPsec traffic filtering.
Please advice.
Denis
