I don’t know that outgoing traffic from lo is expected to go through the
tunnel. If you’re doing these tests with ping, does e.g.
server$ ping -I 192.168.6.1 192.168.5.1
yield the expected results? I’d expect ping responses, and tcpdump on the enc
interfaces on both sides to show both the request and the response.
// Johan
> On May 14, 2018, at 07:34, Denis <den...@mindall.org> wrote:
>
> I have added to /etc/pf.conf:
>
> $ipsec_if = "axen0"
> $ipsec_remote_lan = "192.168.5.0/24"
>
> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan
>
> but outgoing traffic from client's lo0 is blocked anyway:
>
> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>> 776927979:776927979(0) ack 896868769 win 16384 <mss...
>
> Denis
>
> On 5/14/2018 2:17 PM, Denis wrote:
>> Incoming connections to client's IP (192.168.6.1) is established and
>> seems redirected to lo0:port, but outgoing connection from client's lo0
>> to a server's IP (192.168.5.1) is blocked according to
>>
>> # tcpdump -en -i pflog0 output:
>>
>> ...
>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>> 776927979:776927979(0) ack 896868769 win 16384 <mss...
>> ...
>>
>> Do I need to add a NAT rule to have reply passed to server's source IP
>> (192.168.5.1) or what?
>>
>> Thanks.
>>
>> Denis
>>
>>
>> On 5/13/2018 7:12 PM, Johan Hattne wrote:
>>> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone
>>> wrong. What about logging blocked packets
>>>
>>> block log (all, to pflog0)
>>>
>>> in pf.conf and dumping it
>>>
>>> # tcpdump -en -i pflog0
>>>
>>> while doing what you expect should work?
>>>
>>> // Johan
>>>
>>>> On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote:
>>>>
>>>> Johan,
>>>>
>>>> Do I have to remove these two rules or modify them by removing ipencap?
>>>>
>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>> keep state (if-bound)
>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>> keep state (if-bound)
>>>>
>>>> On 5/12/2018 10:11 AM, Johan Hattne wrote:
>>>>>
>>>>>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I have working ikev2 tunnel between two virtual aliased subnets. But no
>>>>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
>>>>>> client machine and vice-versa. Both machines are using in production and
>>>>>> firewalled by PF.
>>>>>>
>>>>>> ------------------------
>>>>>> # cat /etc/hostname.em1
>>>>>> ### server $ext_if
>>>>>> dhcp
>>>>>> alias 192.168.5.1
>>>>>> 255.255.255.0
>>>>>> ------------------------
>>>>>> |
>>>>>> | IPsec
>>>>>> |
>>>>>> ------------------------
>>>>>> # cat /etc/hostname.axen0
>>>>>> ### client $ext_if
>>>>>> dhcp
>>>>>> alias 192.168.6.1
>>>>>> 255.255.255.0
>>>>>> ------------------------
>>>>>>
>>>>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
>>>>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic
>>>>>> though.
>>>>>>
>>>>>> server# ping 192.168.6.1
>>>>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
>>>>>> ...
>>>>>> clielnt# ping 192.168.5.1
>>>>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
>>>>>> ...
>>>>>>
>>>>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for
>>>>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
>>>>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
>>>>>> aliased client's IP:192.168.6.1. So client can reply to incoming
>>>>>> connections to remote server's via IPsec lan.
>>>>>>
>>>>>> No routing is needed between server's / client's 'real' private LANs.
>>>>>> Because of that I've decided to use aliased virtual lans for IPsec
>>>>>> tunneling. But I'm not sure about correctness of this.
>>>>>>
>>>>>> server# cat /etc/iked.conf
>>>>>> gw_ip = "em1"
>>>>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
>>>>>> which obtain an address from dhcp
>>>>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
>>>>>> which obtain an address from dhcp too.
>>>>>> mode = "passive"
>>>>>>
>>>>>> ikev2 "pki-srv" $mode ipcomp esp \
>>>>>> from $local_lan to $remote_lan \
>>>>>> local $gw_ip peer any \
>>>>>> srcid srv-pubkey dstid clnt-pubkey \
>>>>>> tag "srv.tld.ipsec"
>>>>>> tap "enc0"
>>>>>>
>>>>>> server# cat /etc/pf.conf
>>>>>> ...
>>>>>> ext_if = em1
>>>>>> ipsec_if = em1
>>>>>> ipsec_enc_if = enc0
>>>>>> ipsec_local_lan = "192.168.5.0/24"
>>>>>> ipsec_remote_lan = "192.168.6.0/24"
>>>>>> ...
>>>>>> queue rootq on $ext_if bandwidth 100M max 100M
>>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>>>>> queue bulk parent rootq bandwidth 10M default
>>>>>> ...
>>>>>> block on $ext_if all
>>>>>> block on $ipsec_enc_if all
>>>>>> ...
>>>>>>
>>>>>> # --- IPsec
>>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>>>>> {isakmp, ipsec-nat-t}
>>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>>>>> {isakmp, ipsec-nat-t} keep state
>>>>>>
>>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>>>>> keep state set queue ipsec
>>>>>>
>>>>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
>>>>>>
>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>>>> keep state (if-bound)
>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>>>> keep state (if-bound)
>>>>>>
>>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>>>>> $ipsec_local_lan keep state (if-bound)
>>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>>>>> $ipsec_remote_lan keep state (if-bound)
>>>>>> ...
>>>>>>
>>>>>>
>>>>>> client# cat /etc/iked.conf
>>>>>> gw_ip = "axen0"
>>>>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
>>>>>> which obtain an address from dhcp
>>>>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \
>>>>>> which obtain an address from dhcp
>>>>>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp
>>>>>> mode = "active"
>>>>>>
>>>>>> ikev2 "pki-clnt" $mode ipcomp esp \
>>>>>> from $local_lan to $remote_lan \
>>>>>> local $gw_ip to $srv_ip \
>>>>>> crcid clnt-pubkey dstid srv-pubkey \
>>>>>> tag "clnt.tld.ipsec"
>>>>>> tap "em0"
>>>>>>
>>>>>> client# cat /etc/pf.conf
>>>>>> ...
>>>>>> ext_if = axen0
>>>>>> ipsec_if = axen0
>>>>>> ipsec_enc_if = enc0
>>>>>> ipsec_local_lan = "192.168.6.0/24"
>>>>>> ipsec_remote_lan = "192.168.5.0/24"
>>>>>> ...
>>>>>> queue rootq on $ext_if bandwidth 100M max 100M
>>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>>>>> queue bulk parent rootq bandwidth 10M default
>>>>>> ...
>>>>>> block on $ext_if all
>>>>>> block on $ipsec_enc_if all
>>>>>> ...
>>>>>>
>>>>>> # --- IPsec
>>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>>>>> {isakmp, ipsec-nat-t}
>>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>>>>> {isakmp, ipsec-nat-t} keep state
>>>>>>
>>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>>>>> keep state set queue ipsec
>>>>>>
>>>>>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users
>>>>>>
>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>>>> keep state (if-bound)
>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>>>> keep state (if-bound)
>>>>>>
>>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>>>>> $ipsec_local_lan keep state (if-bound)
>>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>>>>> $ipsec_remote_lan keep state (if-bound)
>>>>>> ...
>>>>>>
>>>>>> I think it can be something wrong in PF configuration or
>>>>>> missed/unfinished touching IPsec traffic filtering.
>>>>>>
>>>>>> Please advice.
>>>>>
>>>>> Do you not need a “proto ipencap” on the last two pass-rules that permit
>>>>> traffic between your LAN:s?
>>>>>
>>>>> // Johan
>>>>>
>>>>
>>>
>>
>
