Just to add more on this, something that makes no sense to me and that I do not understand.
Just adding to what's below a simple additional flow as this gateway$ doas echo 'flow from 66.63.44.90 to 66.63.44.100 type bypass' | ipsecctl -vf - even if there isn't anything at 66.63.44.100, will make the flow from 66.63.44.90 to anything else all work.... Looks like somehow the bypass flows will not process CIDR properly without some additional one. gateway# ipsecctl -sf flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp in from 66.63.5.250 to 100.36.20.77 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp in from 66.63.44.64/27 to 66.63.44.96/28 type bypass flow esp in from 66.63.44.96/28 to 66.63.44.64/27 type bypass flow esp in from 66.63.44.100 to 66.63.44.90 type bypass flow esp in from 216.15.33.137 to 66.63.44.67 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp out from 66.63.44.64/27 to 66.63.44.96/28 type bypass flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from 66.63.44.67 to 216.15.33.137 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from 66.63.44.90 to 66.63.44.100 type bypass flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from 66.63.44.96/28 to 66.63.44.64/27 type bypass flow esp out from 100.36.20.77 to 66.63.5.250 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from ::/0 to ::/0 type deny On 1/16/19 5:36 PM, Daniel Ouellet wrote: >> You don't actually even need an ipsec.conf file, you could just do >> >> $ echo 'flow from 192.0.2.1/32 to 192.0.2.2/32 type bypass' | doas ipsecctl >> -vf - > > That would actually be a very simple solution and I would sure love it! > > But testing doesn't show that as being the case. packets are still being > forwarded to enc0 even if they show as being bypass in the ipsecctl -sf > > I did the forward and reverse entry to see the results. Setup two server > real quick to test and here the results with the simpler shorter version > of iked.conf and adding the bypass: > > gateway$ doas cat /etc/iked.conf > ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com > > ikev2 "Flow" active \ > from re1 to tunnel.realconnect.com \ > from re1 to stats.realconnect.com \ > from 66.63.44.66 to 0.0.0.0/0 \ > from 66.63.44.67 to 66.63.0.0/18 \ > from 66.63.44.67 to christine-home.realconnect.com \ > from home.ouellet.us to 0.0.0.0/0 \ > from 66.63.44.96/28 to 0.0.0.0/0 \ > peer tunnel.realconnect.com > > gateway$ echo 'flow from 66.63.44.96/28 to 66.63.44.64/27 type bypass' | > doas ipsecctl -vf - > > gateway$ echo 'flow from 66.63.44.64/27 to 66.63.44.96/28 type bypass' | > doas ipsecctl -vf - > > And then check the flow to see if the bypass are present and they are as > below: > > gateway$ doas ipsecctl -sf > flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > flow esp in from 66.63.5.250 to 100.36.20.77 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > flow esp in from 66.63.44.64/27 to 66.63.44.96/28 type bypass > flow esp in from 66.63.44.96/28 to 66.63.44.64/27 type bypass > flow esp in from 216.15.33.137 to 66.63.44.67 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > flow esp out from 66.63.44.64/27 to 66.63.44.96/28 type bypass > flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > flow esp out from 66.63.44.67 to 216.15.33.137 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > flow esp out from 66.63.44.96/28 to 66.63.44.64/27 type bypass > flow esp out from 100.36.20.77 to 66.63.5.250 peer 66.63.5.250 srcid > FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > flow esp out from ::/0 to ::/0 type deny > > But the packets are still sent to the enc0 however. > > tcpdump show that: > > gateway$ doas tcpdump -nli enc0 | grep icmp > tcpdump: listening on enc0, link-type ENC > 17:29:15.778857 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 > > 66.63.44.99: icmp: echo request (encap) > 17:29:15.784287 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 > > 66.63.44.99: icmp: echo request (encap) > 17:29:16.789014 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 > > 66.63.44.99: icmp: echo request (encap) > 17:29:16.793698 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 > > 66.63.44.99: icmp: echo request (encap) > 17:29:17.799066 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 > > 66.63.44.99: icmp: echo request (encap) > 17:29:17.803543 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 > > 66.63.44.99: icmp: echo request (encap) > ^C > 44 packets received by filter > 0 packets dropped by kernel > > if the bypass was active it shouldn't reach enc0 but go between re1 and > re2 as shown in the routing table for the test: > > gateway$ doas route -n show -inet > Routing tables > > Internet: > Destination Gateway Flags Refs Use Mtu Prio > Iface > default 100.36.20.1 UGS 7 15559373 - 8 re0 > 224/4 127.0.0.1 URS 0 5756 32768 8 lo0 > 66.63.44.64/27 66.63.44.65 UCn 9 29469 - 4 re1 > 66.63.44.65 00:0d:b9:3e:d5:5d UHLl 0 56673 - 1 re1 > 66.63.44.66 00:0a:41:6b:84:1c UHLc 0 101716 - 3 re1 > 66.63.44.67 40:6c:8f:bc:5d:a8 UHLc 1 17896548 - 3 re1 > 66.63.44.72 00:1e:c0:11:ff:70 UHLc 0 576647 - 3 re1 > 66.63.44.73 b8:41:a4:5e:ad:41 UHLc 1 122361 - 3 re1 > 66.63.44.74 74:c2:46:ed:c0:1f UHLc 0 40926 - 3 re1 > 66.63.44.76 c8:2a:14:23:2a:a8 UHLc 1 29533 - 3 re1 > 66.63.44.90 00:25:90:31:31:b2 UHLc 0 126950 - 3 re1 > 66.63.44.93 38:ed:18:45:12:dd UHLc 0 2297 - 3 re1 > 66.63.44.94 b4:75:0e:63:d1:dc UHLc 0 29262 - 3 re1 > 66.63.44.95 66.63.44.65 UHb 0 12812 - 1 re1 > 66.63.44.96/28 66.63.44.97 UCn 2 93512 - 4 re2 > 66.63.44.97 00:0d:b9:3e:d5:5e UHLl 0 98042 - 1 re2 > 66.63.44.99 ac:1f:6b:b9:ef:8a UHLc 2 94146 - 3 re2 > 66.63.44.102 link#3 UHLc 0 93509 - 3 re2 > 66.63.44.111 66.63.44.97 UHb 0 9543 - 1 re2 > 100.36.20/24 100.36.20.77 UCn 1 0 - 4 re0 > 100.36.20.1 54:e0:32:be:cf:c9 UHLch 2 364 - 3 re0 > 100.36.20.77 00:0d:b9:3e:d5:5c UHLl 0 2551787 - 1 re0 > 100.36.20.255 100.36.20.77 UHb 0 0 - 1 re0 > 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHhl 2 783 32768 1 lo0
