Nah, sorry, I misread your rules—on second look, I don’t see what’s gone wrong.
What about logging blocked packets
block log (all, to pflog0)
in pf.conf and dumping it
# tcpdump -en -i pflog0
while doing what you expect should work?
// Johan
> On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote:
>
> Johan,
>
> Do I have to remove these two rules or modify them by removing ipencap?
>
> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
> keep state (if-bound)
> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
> keep state (if-bound)
>
> On 5/12/2018 10:11 AM, Johan Hattne wrote:
>>
>>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote:
>>>
>>> Hello,
>>>
>>> I have working ikev2 tunnel between two virtual aliased subnets. But no
>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
>>> client machine and vice-versa. Both machines are using in production and
>>> firewalled by PF.
>>>
>>> ------------------------
>>> # cat /etc/hostname.em1
>>> ### server $ext_if
>>> dhcp
>>> alias 192.168.5.1
>>> 255.255.255.0
>>> ------------------------
>>> |
>>> | IPsec
>>> |
>>> ------------------------
>>> # cat /etc/hostname.axen0
>>> ### client $ext_if
>>> dhcp
>>> alias 192.168.6.1
>>> 255.255.255.0
>>> ------------------------
>>>
>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic though.
>>>
>>> server# ping 192.168.6.1
>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
>>> ...
>>> clielnt# ping 192.168.5.1
>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
>>> ...
>>>
>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for
>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
>>> aliased client's IP:192.168.6.1. So client can reply to incoming
>>> connections to remote server's via IPsec lan.
>>>
>>> No routing is needed between server's / client's 'real' private LANs.
>>> Because of that I've decided to use aliased virtual lans for IPsec
>>> tunneling. But I'm not sure about correctness of this.
>>>
>>> server# cat /etc/iked.conf
>>> gw_ip = "em1"
>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
>>> which obtain an address from dhcp
>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
>>> which obtain an address from dhcp too.
>>> mode = "passive"
>>>
>>> ikev2 "pki-srv" $mode ipcomp esp \
>>> from $local_lan to $remote_lan \
>>> local $gw_ip peer any \
>>> srcid srv-pubkey dstid clnt-pubkey \
>>> tag "srv.tld.ipsec"
>>> tap "enc0"
>>>
>>> server# cat /etc/pf.conf
>>> ...
>>> ext_if = em1
>>> ipsec_if = em1
>>> ipsec_enc_if = enc0
>>> ipsec_local_lan = "192.168.5.0/24"
>>> ipsec_remote_lan = "192.168.6.0/24"
>>> ...
>>> queue rootq on $ext_if bandwidth 100M max 100M
>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>> queue bulk parent rootq bandwidth 10M default
>>> ...
>>> block on $ext_if all
>>> block on $ipsec_enc_if all
>>> ...
>>>
>>> # --- IPsec
>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>> {isakmp, ipsec-nat-t}
>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>> {isakmp, ipsec-nat-t} keep state
>>>
>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>> keep state set queue ipsec
>>>
>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
>>>
>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>> keep state (if-bound)
>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>> keep state (if-bound)
>>>
>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>> $ipsec_local_lan keep state (if-bound)
>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>> $ipsec_remote_lan keep state (if-bound)
>>> ...
>>>
>>>
>>> client# cat /etc/iked.conf
>>> gw_ip = "axen0"
>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
>>> which obtain an address from dhcp
>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \
>>> which obtain an address from dhcp
>>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp
>>> mode = "active"
>>>
>>> ikev2 "pki-clnt" $mode ipcomp esp \
>>> from $local_lan to $remote_lan \
>>> local $gw_ip to $srv_ip \
>>> crcid clnt-pubkey dstid srv-pubkey \
>>> tag "clnt.tld.ipsec"
>>> tap "em0"
>>>
>>> client# cat /etc/pf.conf
>>> ...
>>> ext_if = axen0
>>> ipsec_if = axen0
>>> ipsec_enc_if = enc0
>>> ipsec_local_lan = "192.168.6.0/24"
>>> ipsec_remote_lan = "192.168.5.0/24"
>>> ...
>>> queue rootq on $ext_if bandwidth 100M max 100M
>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>> queue bulk parent rootq bandwidth 10M default
>>> ...
>>> block on $ext_if all
>>> block on $ipsec_enc_if all
>>> ...
>>>
>>> # --- IPsec
>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>> {isakmp, ipsec-nat-t}
>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>> {isakmp, ipsec-nat-t} keep state
>>>
>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>> keep state set queue ipsec
>>>
>>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users
>>>
>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>> keep state (if-bound)
>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>> keep state (if-bound)
>>>
>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>> $ipsec_local_lan keep state (if-bound)
>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>> $ipsec_remote_lan keep state (if-bound)
>>> ...
>>>
>>> I think it can be something wrong in PF configuration or
>>> missed/unfinished touching IPsec traffic filtering.
>>>
>>> Please advice.
>>
>> Do you not need a “proto ipencap” on the last two pass-rules that permit
>> traffic between your LAN:s?
>>
>> // Johan
>>
>
