Johan, Do I have to remove these two rules or modify them by removing ipencap?
pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ keep state (if-bound) pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ keep state (if-bound) On 5/12/2018 10:11 AM, Johan Hattne wrote: > >> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote: >> >> Hello, >> >> I have working ikev2 tunnel between two virtual aliased subnets. But no >> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >> client machine and vice-versa. Both machines are using in production and >> firewalled by PF. >> >> ------------------------ >> # cat /etc/hostname.em1 >> ### server $ext_if >> dhcp >> alias 192.168.5.1 >> 255.255.255.0 >> ------------------------ >> | >> | IPsec >> | >> ------------------------ >> # cat /etc/hostname.axen0 >> ### client $ext_if >> dhcp >> alias 192.168.6.1 >> 255.255.255.0 >> ------------------------ >> >> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >> (after IP assigned to both gateways by ISP's dhcp), but no traffic though. >> >> server# ping 192.168.6.1 >> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >> ... >> clielnt# ping 192.168.5.1 >> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >> ... >> >> The final goal is: All incoming traffic on server's $ext_if = "em1" for >> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >> aliased client's IP:192.168.6.1. So client can reply to incoming >> connections to remote server's via IPsec lan. >> >> No routing is needed between server's / client's 'real' private LANs. >> Because of that I've decided to use aliased virtual lans for IPsec >> tunneling. But I'm not sure about correctness of this. >> >> server# cat /etc/iked.conf >> gw_ip = "em1" >> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >> which obtain an address from dhcp >> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >> which obtain an address from dhcp too. >> mode = "passive" >> >> ikev2 "pki-srv" $mode ipcomp esp \ >> from $local_lan to $remote_lan \ >> local $gw_ip peer any \ >> srcid srv-pubkey dstid clnt-pubkey \ >> tag "srv.tld.ipsec" >> tap "enc0" >> >> server# cat /etc/pf.conf >> ... >> ext_if = em1 >> ipsec_if = em1 >> ipsec_enc_if = enc0 >> ipsec_local_lan = "192.168.5.0/24" >> ipsec_remote_lan = "192.168.6.0/24" >> ... >> queue rootq on $ext_if bandwidth 100M max 100M >> queue ipsec parent rootq bandwidth 90M min 70M max 100M >> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >> queue bulk parent rootq bandwidth 10M default >> ... >> block on $ext_if all >> block on $ipsec_enc_if all >> ... >> >> # --- IPsec >> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >> {isakmp, ipsec-nat-t} >> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >> {isakmp, ipsec-nat-t} keep state >> >> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >> keep state set queue ipsec >> >> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users >> >> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >> keep state (if-bound) >> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >> keep state (if-bound) >> >> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >> $ipsec_local_lan keep state (if-bound) >> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >> $ipsec_remote_lan keep state (if-bound) >> ... >> >> >> client# cat /etc/iked.conf >> gw_ip = "axen0" >> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ >> which obtain an address from dhcp >> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ >> which obtain an address from dhcp >> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp >> mode = "active" >> >> ikev2 "pki-clnt" $mode ipcomp esp \ >> from $local_lan to $remote_lan \ >> local $gw_ip to $srv_ip \ >> crcid clnt-pubkey dstid srv-pubkey \ >> tag "clnt.tld.ipsec" >> tap "em0" >> >> client# cat /etc/pf.conf >> ... >> ext_if = axen0 >> ipsec_if = axen0 >> ipsec_enc_if = enc0 >> ipsec_local_lan = "192.168.6.0/24" >> ipsec_remote_lan = "192.168.5.0/24" >> ... >> queue rootq on $ext_if bandwidth 100M max 100M >> queue ipsec parent rootq bandwidth 90M min 70M max 100M >> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >> queue bulk parent rootq bandwidth 10M default >> ... >> block on $ext_if all >> block on $ipsec_enc_if all >> ... >> >> # --- IPsec >> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >> {isakmp, ipsec-nat-t} >> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >> {isakmp, ipsec-nat-t} keep state >> >> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >> keep state set queue ipsec >> >> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users >> >> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >> keep state (if-bound) >> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >> keep state (if-bound) >> >> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >> $ipsec_local_lan keep state (if-bound) >> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >> $ipsec_remote_lan keep state (if-bound) >> ... >> >> I think it can be something wrong in PF configuration or >> missed/unfinished touching IPsec traffic filtering. >> >> Please advice. > > Do you not need a “proto ipencap” on the last two pass-rules that permit > traffic between your LAN:s? > > // Johan >