I don’t know that outgoing traffic from lo is expected to go through the tunnel. If you’re doing these tests with ping, does e.g.
server$ ping -I 192.168.6.1 192.168.5.1 yield the expected results? I’d expect ping responses, and tcpdump on the enc interfaces on both sides to show both the request and the response. // Johan > On May 14, 2018, at 07:34, Denis <den...@mindall.org> wrote: > > I have added to /etc/pf.conf: > > $ipsec_if = "axen0" > $ipsec_remote_lan = "192.168.5.0/24" > > pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan > > but outgoing traffic from client's lo0 is blocked anyway: > > rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >> 776927979:776927979(0) ack 896868769 win 16384 <mss... > > Denis > > On 5/14/2018 2:17 PM, Denis wrote: >> Incoming connections to client's IP (192.168.6.1) is established and >> seems redirected to lo0:port, but outgoing connection from client's lo0 >> to a server's IP (192.168.5.1) is blocked according to >> >> # tcpdump -en -i pflog0 output: >> >> ... >> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >> 776927979:776927979(0) ack 896868769 win 16384 <mss... >> ... >> >> Do I need to add a NAT rule to have reply passed to server's source IP >> (192.168.5.1) or what? >> >> Thanks. >> >> Denis >> >> >> On 5/13/2018 7:12 PM, Johan Hattne wrote: >>> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone >>> wrong. What about logging blocked packets >>> >>> block log (all, to pflog0) >>> >>> in pf.conf and dumping it >>> >>> # tcpdump -en -i pflog0 >>> >>> while doing what you expect should work? >>> >>> // Johan >>> >>>> On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote: >>>> >>>> Johan, >>>> >>>> Do I have to remove these two rules or modify them by removing ipencap? >>>> >>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>> keep state (if-bound) >>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>> keep state (if-bound) >>>> >>>> On 5/12/2018 10:11 AM, Johan Hattne wrote: >>>>> >>>>>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> I have working ikev2 tunnel between two virtual aliased subnets. But no >>>>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >>>>>> client machine and vice-versa. Both machines are using in production and >>>>>> firewalled by PF. >>>>>> >>>>>> ------------------------ >>>>>> # cat /etc/hostname.em1 >>>>>> ### server $ext_if >>>>>> dhcp >>>>>> alias 192.168.5.1 >>>>>> 255.255.255.0 >>>>>> ------------------------ >>>>>> | >>>>>> | IPsec >>>>>> | >>>>>> ------------------------ >>>>>> # cat /etc/hostname.axen0 >>>>>> ### client $ext_if >>>>>> dhcp >>>>>> alias 192.168.6.1 >>>>>> 255.255.255.0 >>>>>> ------------------------ >>>>>> >>>>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >>>>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic >>>>>> though. >>>>>> >>>>>> server# ping 192.168.6.1 >>>>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >>>>>> ... >>>>>> clielnt# ping 192.168.5.1 >>>>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >>>>>> ... >>>>>> >>>>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for >>>>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >>>>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >>>>>> aliased client's IP:192.168.6.1. So client can reply to incoming >>>>>> connections to remote server's via IPsec lan. >>>>>> >>>>>> No routing is needed between server's / client's 'real' private LANs. >>>>>> Because of that I've decided to use aliased virtual lans for IPsec >>>>>> tunneling. But I'm not sure about correctness of this. >>>>>> >>>>>> server# cat /etc/iked.conf >>>>>> gw_ip = "em1" >>>>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >>>>>> which obtain an address from dhcp >>>>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >>>>>> which obtain an address from dhcp too. >>>>>> mode = "passive" >>>>>> >>>>>> ikev2 "pki-srv" $mode ipcomp esp \ >>>>>> from $local_lan to $remote_lan \ >>>>>> local $gw_ip peer any \ >>>>>> srcid srv-pubkey dstid clnt-pubkey \ >>>>>> tag "srv.tld.ipsec" >>>>>> tap "enc0" >>>>>> >>>>>> server# cat /etc/pf.conf >>>>>> ... >>>>>> ext_if = em1 >>>>>> ipsec_if = em1 >>>>>> ipsec_enc_if = enc0 >>>>>> ipsec_local_lan = "192.168.5.0/24" >>>>>> ipsec_remote_lan = "192.168.6.0/24" >>>>>> ... >>>>>> queue rootq on $ext_if bandwidth 100M max 100M >>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>>>>> queue bulk parent rootq bandwidth 10M default >>>>>> ... >>>>>> block on $ext_if all >>>>>> block on $ipsec_enc_if all >>>>>> ... >>>>>> >>>>>> # --- IPsec >>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>>>>> {isakmp, ipsec-nat-t} >>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>>>>> {isakmp, ipsec-nat-t} keep state >>>>>> >>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>>>>> keep state set queue ipsec >>>>>> >>>>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users >>>>>> >>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>>>> keep state (if-bound) >>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>>>> keep state (if-bound) >>>>>> >>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>>>>> $ipsec_local_lan keep state (if-bound) >>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>>>>> $ipsec_remote_lan keep state (if-bound) >>>>>> ... >>>>>> >>>>>> >>>>>> client# cat /etc/iked.conf >>>>>> gw_ip = "axen0" >>>>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ >>>>>> which obtain an address from dhcp >>>>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ >>>>>> which obtain an address from dhcp >>>>>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp >>>>>> mode = "active" >>>>>> >>>>>> ikev2 "pki-clnt" $mode ipcomp esp \ >>>>>> from $local_lan to $remote_lan \ >>>>>> local $gw_ip to $srv_ip \ >>>>>> crcid clnt-pubkey dstid srv-pubkey \ >>>>>> tag "clnt.tld.ipsec" >>>>>> tap "em0" >>>>>> >>>>>> client# cat /etc/pf.conf >>>>>> ... >>>>>> ext_if = axen0 >>>>>> ipsec_if = axen0 >>>>>> ipsec_enc_if = enc0 >>>>>> ipsec_local_lan = "192.168.6.0/24" >>>>>> ipsec_remote_lan = "192.168.5.0/24" >>>>>> ... >>>>>> queue rootq on $ext_if bandwidth 100M max 100M >>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>>>>> queue bulk parent rootq bandwidth 10M default >>>>>> ... >>>>>> block on $ext_if all >>>>>> block on $ipsec_enc_if all >>>>>> ... >>>>>> >>>>>> # --- IPsec >>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>>>>> {isakmp, ipsec-nat-t} >>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>>>>> {isakmp, ipsec-nat-t} keep state >>>>>> >>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>>>>> keep state set queue ipsec >>>>>> >>>>>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users >>>>>> >>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>>>> keep state (if-bound) >>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>>>> keep state (if-bound) >>>>>> >>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>>>>> $ipsec_local_lan keep state (if-bound) >>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>>>>> $ipsec_remote_lan keep state (if-bound) >>>>>> ... >>>>>> >>>>>> I think it can be something wrong in PF configuration or >>>>>> missed/unfinished touching IPsec traffic filtering. >>>>>> >>>>>> Please advice. >>>>> >>>>> Do you not need a “proto ipencap” on the last two pass-rules that permit >>>>> traffic between your LAN:s? >>>>> >>>>> // Johan >>>>> >>>> >>> >> >