Incoming connections to client's IP (192.168.6.1) is established and seems redirected to lo0:port, but outgoing connection from client's lo0 to a server's IP (192.168.5.1) is blocked according to
# tcpdump -en -i pflog0 output: ... rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S 776927979:776927979(0) ack 896868769 win 16384 <mss... ... Do I need to add a NAT rule to have reply passed to server's source IP (192.168.5.1) or what? Thanks. Denis On 5/13/2018 7:12 PM, Johan Hattne wrote: > Nah, sorry, I misread your rules—on second look, I don’t see what’s gone > wrong. What about logging blocked packets > > block log (all, to pflog0) > > in pf.conf and dumping it > > # tcpdump -en -i pflog0 > > while doing what you expect should work? > > // Johan > >> On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote: >> >> Johan, >> >> Do I have to remove these two rules or modify them by removing ipencap? >> >> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >> keep state (if-bound) >> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >> keep state (if-bound) >> >> On 5/12/2018 10:11 AM, Johan Hattne wrote: >>> >>>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote: >>>> >>>> Hello, >>>> >>>> I have working ikev2 tunnel between two virtual aliased subnets. But no >>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >>>> client machine and vice-versa. Both machines are using in production and >>>> firewalled by PF. >>>> >>>> ------------------------ >>>> # cat /etc/hostname.em1 >>>> ### server $ext_if >>>> dhcp >>>> alias 192.168.5.1 >>>> 255.255.255.0 >>>> ------------------------ >>>> | >>>> | IPsec >>>> | >>>> ------------------------ >>>> # cat /etc/hostname.axen0 >>>> ### client $ext_if >>>> dhcp >>>> alias 192.168.6.1 >>>> 255.255.255.0 >>>> ------------------------ >>>> >>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic though. >>>> >>>> server# ping 192.168.6.1 >>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >>>> ... >>>> clielnt# ping 192.168.5.1 >>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >>>> ... >>>> >>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for >>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >>>> aliased client's IP:192.168.6.1. So client can reply to incoming >>>> connections to remote server's via IPsec lan. >>>> >>>> No routing is needed between server's / client's 'real' private LANs. >>>> Because of that I've decided to use aliased virtual lans for IPsec >>>> tunneling. But I'm not sure about correctness of this. >>>> >>>> server# cat /etc/iked.conf >>>> gw_ip = "em1" >>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >>>> which obtain an address from dhcp >>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >>>> which obtain an address from dhcp too. >>>> mode = "passive" >>>> >>>> ikev2 "pki-srv" $mode ipcomp esp \ >>>> from $local_lan to $remote_lan \ >>>> local $gw_ip peer any \ >>>> srcid srv-pubkey dstid clnt-pubkey \ >>>> tag "srv.tld.ipsec" >>>> tap "enc0" >>>> >>>> server# cat /etc/pf.conf >>>> ... >>>> ext_if = em1 >>>> ipsec_if = em1 >>>> ipsec_enc_if = enc0 >>>> ipsec_local_lan = "192.168.5.0/24" >>>> ipsec_remote_lan = "192.168.6.0/24" >>>> ... >>>> queue rootq on $ext_if bandwidth 100M max 100M >>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>>> queue bulk parent rootq bandwidth 10M default >>>> ... >>>> block on $ext_if all >>>> block on $ipsec_enc_if all >>>> ... >>>> >>>> # --- IPsec >>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>>> {isakmp, ipsec-nat-t} >>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>>> {isakmp, ipsec-nat-t} keep state >>>> >>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>>> keep state set queue ipsec >>>> >>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users >>>> >>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>> keep state (if-bound) >>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>> keep state (if-bound) >>>> >>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>>> $ipsec_local_lan keep state (if-bound) >>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>>> $ipsec_remote_lan keep state (if-bound) >>>> ... >>>> >>>> >>>> client# cat /etc/iked.conf >>>> gw_ip = "axen0" >>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ >>>> which obtain an address from dhcp >>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ >>>> which obtain an address from dhcp >>>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp >>>> mode = "active" >>>> >>>> ikev2 "pki-clnt" $mode ipcomp esp \ >>>> from $local_lan to $remote_lan \ >>>> local $gw_ip to $srv_ip \ >>>> crcid clnt-pubkey dstid srv-pubkey \ >>>> tag "clnt.tld.ipsec" >>>> tap "em0" >>>> >>>> client# cat /etc/pf.conf >>>> ... >>>> ext_if = axen0 >>>> ipsec_if = axen0 >>>> ipsec_enc_if = enc0 >>>> ipsec_local_lan = "192.168.6.0/24" >>>> ipsec_remote_lan = "192.168.5.0/24" >>>> ... >>>> queue rootq on $ext_if bandwidth 100M max 100M >>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>>> queue bulk parent rootq bandwidth 10M default >>>> ... >>>> block on $ext_if all >>>> block on $ipsec_enc_if all >>>> ... >>>> >>>> # --- IPsec >>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>>> {isakmp, ipsec-nat-t} >>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>>> {isakmp, ipsec-nat-t} keep state >>>> >>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>>> keep state set queue ipsec >>>> >>>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users >>>> >>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>> keep state (if-bound) >>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>> keep state (if-bound) >>>> >>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>>> $ipsec_local_lan keep state (if-bound) >>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>>> $ipsec_remote_lan keep state (if-bound) >>>> ... >>>> >>>> I think it can be something wrong in PF configuration or >>>> missed/unfinished touching IPsec traffic filtering. >>>> >>>> Please advice. >>> >>> Do you not need a “proto ipencap” on the last two pass-rules that permit >>> traffic between your LAN:s? >>> >>> // Johan >>> >> >