I can successful ping both sides of IPsec tunnel:
server$ ping -I 192.168.5.1 192.168.6.1
64 bytes from 192.168.6.1 icpm_seq...
client$ ping -I 192.158.6.1 192.168.5.1
64 bytes from 192.168.6.1 icpm_seq...\
tcpdump -en -i pflog0
shows nothing about blocked traffic while connecting by "external machine"
I tried to do external connection to server's public IP (a.b.c.d) and
redirect this connection by PF trough IPsec tunnel to client's IPsec IP:
192.168.6.1. Then client's PF rules redirect connection from server's
IPsec IP: 192.168.5.1 to a client's 127.0.0.1 and must reply to external
machine from a.b.c.d
My test conditions:
external machine
#ssh -p 9922 to a.b.c.d
|
|
server's public IP is a.b.c.d
PF rule:
pass in quick on a.b.c.d inet proto tcp from any to (a.b.c.d) \
port 9922 rdr-to 192.168.6.1 queue (ssh_bulk, ssh_login)
||
||
IPsec tunnel (working):
srv IP: 192.168.5.1
clnt IP: 192.168.6.1
||
||
client's PF rule:
pass in quick on enc0 inet proto tcp from any to any port 9922 rdr-to
lo0 port 22 modulate state
Incoming packets from "external machine" with SSH client seems to be
redirected to client's 127.0.0.1 port 22, but client not replied to a
"externa machine".
It seems I have to implement NAT rule for IPsec or what?
Please advise.
Denis
On 5/15/2018 5:12 AM, Johan Hattne wrote:
> I don’t know that outgoing traffic from lo is expected to go through the
> tunnel. If you’re doing these tests with ping, does e.g.
>
> server$ ping -I 192.168.6.1 192.168.5.1
>
> yield the expected results? I’d expect ping responses, and tcpdump on the
> enc interfaces on both sides to show both the request and the response.
>
> // Johan
>
>> On May 14, 2018, at 07:34, Denis <den...@mindall.org> wrote:
>>
>> I have added to /etc/pf.conf:
>>
>> $ipsec_if = "axen0"
>> $ipsec_remote_lan = "192.168.5.0/24"
>>
>> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan
>>
>> but outgoing traffic from client's lo0 is blocked anyway:
>>
>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>>> 776927979:776927979(0) ack 896868769 win 16384 <mss...
>>
>> Denis
>>
>> On 5/14/2018 2:17 PM, Denis wrote:
>>> Incoming connections to client's IP (192.168.6.1) is established and
>>> seems redirected to lo0:port, but outgoing connection from client's lo0
>>> to a server's IP (192.168.5.1) is blocked according to
>>>
>>> # tcpdump -en -i pflog0 output:
>>>
>>> ...
>>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>>> 776927979:776927979(0) ack 896868769 win 16384 <mss...
>>> ...
>>>
>>> Do I need to add a NAT rule to have reply passed to server's source IP
>>> (192.168.5.1) or what?
>>>
>>> Thanks.
>>>
>>> Denis
>>>
>>>
>>> On 5/13/2018 7:12 PM, Johan Hattne wrote:
>>>> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone
>>>> wrong. What about logging blocked packets
>>>>
>>>> block log (all, to pflog0)
>>>>
>>>> in pf.conf and dumping it
>>>>
>>>> # tcpdump -en -i pflog0
>>>>
>>>> while doing what you expect should work?
>>>>
>>>> // Johan
>>>>
>>>>> On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote:
>>>>>
>>>>> Johan,
>>>>>
>>>>> Do I have to remove these two rules or modify them by removing ipencap?
>>>>>
>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>>> keep state (if-bound)
>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>>> keep state (if-bound)
>>>>>
>>>>> On 5/12/2018 10:11 AM, Johan Hattne wrote:
>>>>>>
>>>>>>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have working ikev2 tunnel between two virtual aliased subnets. But no
>>>>>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
>>>>>>> client machine and vice-versa. Both machines are using in production and
>>>>>>> firewalled by PF.
>>>>>>>
>>>>>>> ------------------------
>>>>>>> # cat /etc/hostname.em1
>>>>>>> ### server $ext_if
>>>>>>> dhcp
>>>>>>> alias 192.168.5.1
>>>>>>> 255.255.255.0
>>>>>>> ------------------------
>>>>>>> |
>>>>>>> | IPsec
>>>>>>> |
>>>>>>> ------------------------
>>>>>>> # cat /etc/hostname.axen0
>>>>>>> ### client $ext_if
>>>>>>> dhcp
>>>>>>> alias 192.168.6.1
>>>>>>> 255.255.255.0
>>>>>>> ------------------------
>>>>>>>
>>>>>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
>>>>>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic
>>>>>>> though.
>>>>>>>
>>>>>>> server# ping 192.168.6.1
>>>>>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
>>>>>>> ...
>>>>>>> clielnt# ping 192.168.5.1
>>>>>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
>>>>>>> ...
>>>>>>>
>>>>>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for
>>>>>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
>>>>>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
>>>>>>> aliased client's IP:192.168.6.1. So client can reply to incoming
>>>>>>> connections to remote server's via IPsec lan.
>>>>>>>
>>>>>>> No routing is needed between server's / client's 'real' private LANs.
>>>>>>> Because of that I've decided to use aliased virtual lans for IPsec
>>>>>>> tunneling. But I'm not sure about correctness of this.
>>>>>>>
>>>>>>> server# cat /etc/iked.conf
>>>>>>> gw_ip = "em1"
>>>>>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
>>>>>>> which obtain an address from dhcp
>>>>>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
>>>>>>> which obtain an address from dhcp too.
>>>>>>> mode = "passive"
>>>>>>>
>>>>>>> ikev2 "pki-srv" $mode ipcomp esp \
>>>>>>> from $local_lan to $remote_lan \
>>>>>>> local $gw_ip peer any \
>>>>>>> srcid srv-pubkey dstid clnt-pubkey \
>>>>>>> tag "srv.tld.ipsec"
>>>>>>> tap "enc0"
>>>>>>>
>>>>>>> server# cat /etc/pf.conf
>>>>>>> ...
>>>>>>> ext_if = em1
>>>>>>> ipsec_if = em1
>>>>>>> ipsec_enc_if = enc0
>>>>>>> ipsec_local_lan = "192.168.5.0/24"
>>>>>>> ipsec_remote_lan = "192.168.6.0/24"
>>>>>>> ...
>>>>>>> queue rootq on $ext_if bandwidth 100M max 100M
>>>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>>>>>> queue bulk parent rootq bandwidth 10M default
>>>>>>> ...
>>>>>>> block on $ext_if all
>>>>>>> block on $ipsec_enc_if all
>>>>>>> ...
>>>>>>>
>>>>>>> # --- IPsec
>>>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>>>>>> {isakmp, ipsec-nat-t}
>>>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>>>>>> {isakmp, ipsec-nat-t} keep state
>>>>>>>
>>>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>>>>>> keep state set queue ipsec
>>>>>>>
>>>>>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
>>>>>>>
>>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>>>>> keep state (if-bound)
>>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>>>>> keep state (if-bound)
>>>>>>>
>>>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>>>>>> $ipsec_local_lan keep state (if-bound)
>>>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>>>>>> $ipsec_remote_lan keep state (if-bound)
>>>>>>> ...
>>>>>>>
>>>>>>>
>>>>>>> client# cat /etc/iked.conf
>>>>>>> gw_ip = "axen0"
>>>>>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
>>>>>>> which obtain an address from dhcp
>>>>>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \
>>>>>>> which obtain an address from dhcp
>>>>>>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp
>>>>>>> mode = "active"
>>>>>>>
>>>>>>> ikev2 "pki-clnt" $mode ipcomp esp \
>>>>>>> from $local_lan to $remote_lan \
>>>>>>> local $gw_ip to $srv_ip \
>>>>>>> crcid clnt-pubkey dstid srv-pubkey \
>>>>>>> tag "clnt.tld.ipsec"
>>>>>>> tap "em0"
>>>>>>>
>>>>>>> client# cat /etc/pf.conf
>>>>>>> ...
>>>>>>> ext_if = axen0
>>>>>>> ipsec_if = axen0
>>>>>>> ipsec_enc_if = enc0
>>>>>>> ipsec_local_lan = "192.168.6.0/24"
>>>>>>> ipsec_remote_lan = "192.168.5.0/24"
>>>>>>> ...
>>>>>>> queue rootq on $ext_if bandwidth 100M max 100M
>>>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>>>>>> queue bulk parent rootq bandwidth 10M default
>>>>>>> ...
>>>>>>> block on $ext_if all
>>>>>>> block on $ipsec_enc_if all
>>>>>>> ...
>>>>>>>
>>>>>>> # --- IPsec
>>>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>>>>>> {isakmp, ipsec-nat-t}
>>>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>>>>>> {isakmp, ipsec-nat-t} keep state
>>>>>>>
>>>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>>>>>> keep state set queue ipsec
>>>>>>>
>>>>>>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users
>>>>>>>
>>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>>>>> keep state (if-bound)
>>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>>>>> keep state (if-bound)
>>>>>>>
>>>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>>>>>> $ipsec_local_lan keep state (if-bound)
>>>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>>>>>> $ipsec_remote_lan keep state (if-bound)
>>>>>>> ...
>>>>>>>
>>>>>>> I think it can be something wrong in PF configuration or
>>>>>>> missed/unfinished touching IPsec traffic filtering.
>>>>>>>
>>>>>>> Please advice.
>>>>>>
>>>>>> Do you not need a “proto ipencap” on the last two pass-rules that permit
>>>>>> traffic between your LAN:s?
>>>>>>
>>>>>> // Johan
>>>>>>
>>>>>
>>>>
>>>
>>
>
