I can successful ping both sides of IPsec tunnel: server$ ping -I 192.168.5.1 192.168.6.1 64 bytes from 192.168.6.1 icpm_seq...
client$ ping -I 192.158.6.1 192.168.5.1 64 bytes from 192.168.6.1 icpm_seq...\ tcpdump -en -i pflog0 shows nothing about blocked traffic while connecting by "external machine" I tried to do external connection to server's public IP (a.b.c.d) and redirect this connection by PF trough IPsec tunnel to client's IPsec IP: 192.168.6.1. Then client's PF rules redirect connection from server's IPsec IP: 192.168.5.1 to a client's 127.0.0.1 and must reply to external machine from a.b.c.d My test conditions: external machine #ssh -p 9922 to a.b.c.d | | server's public IP is a.b.c.d PF rule: pass in quick on a.b.c.d inet proto tcp from any to (a.b.c.d) \ port 9922 rdr-to 192.168.6.1 queue (ssh_bulk, ssh_login) || || IPsec tunnel (working): srv IP: 192.168.5.1 clnt IP: 192.168.6.1 || || client's PF rule: pass in quick on enc0 inet proto tcp from any to any port 9922 rdr-to lo0 port 22 modulate state Incoming packets from "external machine" with SSH client seems to be redirected to client's 127.0.0.1 port 22, but client not replied to a "externa machine". It seems I have to implement NAT rule for IPsec or what? Please advise. Denis On 5/15/2018 5:12 AM, Johan Hattne wrote: > I don’t know that outgoing traffic from lo is expected to go through the > tunnel. If you’re doing these tests with ping, does e.g. > > server$ ping -I 192.168.6.1 192.168.5.1 > > yield the expected results? I’d expect ping responses, and tcpdump on the > enc interfaces on both sides to show both the request and the response. > > // Johan > >> On May 14, 2018, at 07:34, Denis <den...@mindall.org> wrote: >> >> I have added to /etc/pf.conf: >> >> $ipsec_if = "axen0" >> $ipsec_remote_lan = "192.168.5.0/24" >> >> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan >> >> but outgoing traffic from client's lo0 is blocked anyway: >> >> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >>> 776927979:776927979(0) ack 896868769 win 16384 <mss... >> >> Denis >> >> On 5/14/2018 2:17 PM, Denis wrote: >>> Incoming connections to client's IP (192.168.6.1) is established and >>> seems redirected to lo0:port, but outgoing connection from client's lo0 >>> to a server's IP (192.168.5.1) is blocked according to >>> >>> # tcpdump -en -i pflog0 output: >>> >>> ... >>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >>> 776927979:776927979(0) ack 896868769 win 16384 <mss... >>> ... >>> >>> Do I need to add a NAT rule to have reply passed to server's source IP >>> (192.168.5.1) or what? >>> >>> Thanks. >>> >>> Denis >>> >>> >>> On 5/13/2018 7:12 PM, Johan Hattne wrote: >>>> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone >>>> wrong. What about logging blocked packets >>>> >>>> block log (all, to pflog0) >>>> >>>> in pf.conf and dumping it >>>> >>>> # tcpdump -en -i pflog0 >>>> >>>> while doing what you expect should work? >>>> >>>> // Johan >>>> >>>>> On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote: >>>>> >>>>> Johan, >>>>> >>>>> Do I have to remove these two rules or modify them by removing ipencap? >>>>> >>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>>> keep state (if-bound) >>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>>> keep state (if-bound) >>>>> >>>>> On 5/12/2018 10:11 AM, Johan Hattne wrote: >>>>>> >>>>>>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote: >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I have working ikev2 tunnel between two virtual aliased subnets. But no >>>>>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >>>>>>> client machine and vice-versa. Both machines are using in production and >>>>>>> firewalled by PF. >>>>>>> >>>>>>> ------------------------ >>>>>>> # cat /etc/hostname.em1 >>>>>>> ### server $ext_if >>>>>>> dhcp >>>>>>> alias 192.168.5.1 >>>>>>> 255.255.255.0 >>>>>>> ------------------------ >>>>>>> | >>>>>>> | IPsec >>>>>>> | >>>>>>> ------------------------ >>>>>>> # cat /etc/hostname.axen0 >>>>>>> ### client $ext_if >>>>>>> dhcp >>>>>>> alias 192.168.6.1 >>>>>>> 255.255.255.0 >>>>>>> ------------------------ >>>>>>> >>>>>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >>>>>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic >>>>>>> though. >>>>>>> >>>>>>> server# ping 192.168.6.1 >>>>>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >>>>>>> ... >>>>>>> clielnt# ping 192.168.5.1 >>>>>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >>>>>>> ... >>>>>>> >>>>>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for >>>>>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >>>>>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >>>>>>> aliased client's IP:192.168.6.1. So client can reply to incoming >>>>>>> connections to remote server's via IPsec lan. >>>>>>> >>>>>>> No routing is needed between server's / client's 'real' private LANs. >>>>>>> Because of that I've decided to use aliased virtual lans for IPsec >>>>>>> tunneling. But I'm not sure about correctness of this. >>>>>>> >>>>>>> server# cat /etc/iked.conf >>>>>>> gw_ip = "em1" >>>>>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >>>>>>> which obtain an address from dhcp >>>>>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >>>>>>> which obtain an address from dhcp too. >>>>>>> mode = "passive" >>>>>>> >>>>>>> ikev2 "pki-srv" $mode ipcomp esp \ >>>>>>> from $local_lan to $remote_lan \ >>>>>>> local $gw_ip peer any \ >>>>>>> srcid srv-pubkey dstid clnt-pubkey \ >>>>>>> tag "srv.tld.ipsec" >>>>>>> tap "enc0" >>>>>>> >>>>>>> server# cat /etc/pf.conf >>>>>>> ... >>>>>>> ext_if = em1 >>>>>>> ipsec_if = em1 >>>>>>> ipsec_enc_if = enc0 >>>>>>> ipsec_local_lan = "192.168.5.0/24" >>>>>>> ipsec_remote_lan = "192.168.6.0/24" >>>>>>> ... >>>>>>> queue rootq on $ext_if bandwidth 100M max 100M >>>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>>>>>> queue bulk parent rootq bandwidth 10M default >>>>>>> ... >>>>>>> block on $ext_if all >>>>>>> block on $ipsec_enc_if all >>>>>>> ... >>>>>>> >>>>>>> # --- IPsec >>>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>>>>>> {isakmp, ipsec-nat-t} >>>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>>>>>> {isakmp, ipsec-nat-t} keep state >>>>>>> >>>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>>>>>> keep state set queue ipsec >>>>>>> >>>>>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users >>>>>>> >>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>>>>> keep state (if-bound) >>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>>>>> keep state (if-bound) >>>>>>> >>>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>>>>>> $ipsec_local_lan keep state (if-bound) >>>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>>>>>> $ipsec_remote_lan keep state (if-bound) >>>>>>> ... >>>>>>> >>>>>>> >>>>>>> client# cat /etc/iked.conf >>>>>>> gw_ip = "axen0" >>>>>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ >>>>>>> which obtain an address from dhcp >>>>>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ >>>>>>> which obtain an address from dhcp >>>>>>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp >>>>>>> mode = "active" >>>>>>> >>>>>>> ikev2 "pki-clnt" $mode ipcomp esp \ >>>>>>> from $local_lan to $remote_lan \ >>>>>>> local $gw_ip to $srv_ip \ >>>>>>> crcid clnt-pubkey dstid srv-pubkey \ >>>>>>> tag "clnt.tld.ipsec" >>>>>>> tap "em0" >>>>>>> >>>>>>> client# cat /etc/pf.conf >>>>>>> ... >>>>>>> ext_if = axen0 >>>>>>> ipsec_if = axen0 >>>>>>> ipsec_enc_if = enc0 >>>>>>> ipsec_local_lan = "192.168.6.0/24" >>>>>>> ipsec_remote_lan = "192.168.5.0/24" >>>>>>> ... >>>>>>> queue rootq on $ext_if bandwidth 100M max 100M >>>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>>>>>> queue bulk parent rootq bandwidth 10M default >>>>>>> ... >>>>>>> block on $ext_if all >>>>>>> block on $ipsec_enc_if all >>>>>>> ... >>>>>>> >>>>>>> # --- IPsec >>>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>>>>>> {isakmp, ipsec-nat-t} >>>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>>>>>> {isakmp, ipsec-nat-t} keep state >>>>>>> >>>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>>>>>> keep state set queue ipsec >>>>>>> >>>>>>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users >>>>>>> >>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>>>>> keep state (if-bound) >>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>>>>> keep state (if-bound) >>>>>>> >>>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>>>>>> $ipsec_local_lan keep state (if-bound) >>>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>>>>>> $ipsec_remote_lan keep state (if-bound) >>>>>>> ... >>>>>>> >>>>>>> I think it can be something wrong in PF configuration or >>>>>>> missed/unfinished touching IPsec traffic filtering. >>>>>>> >>>>>>> Please advice. >>>>>> >>>>>> Do you not need a “proto ipencap” on the last two pass-rules that permit >>>>>> traffic between your LAN:s? >>>>>> >>>>>> // Johan >>>>>> >>>>> >>>> >>> >> >