Hi there! The question is how to set default route for all client's (OBSD 6.4 road warrior) traffic inside IPsec using the same egress.
1. I think VPN traffic should be routed only to em0 1.2.3.4 GW 1.2.3.1 with DHCP assigned "clean" IP or IP behind ISPs NAT by setting globally $vpn_if = em0 in PF and use standard IPsec rules for it like: ... # isakmpd(8) itself to remote pass in on $vpn_if inet proto udp from any to ($vpn_if) port {isakmp, ipsec-nat-t} pass out on $vpn_if inet proto udp from ($vpn_if) to any port {isakmp, ipsec-nat-t} keep state # ESP encapsulated IPsec traffic on $vpn_if pass in on $vpn_if inet proto esp from any to ($vpn_if) pass out on $vpn_if inet proto esp from ($vpn_if) to any keep state set queue ipsec_wan # IP-in-IP traffic between gateways on enc(4) interface pass in on enc0 inet proto ipencap from any to ($vpn_if) keep state (if-bound) pass out on enc0 inet proto ipencap from ($vpn_if) to any keep state (if-bound) # unencrypted traffic filtering on enc(4) interface pass in on enc0 inet from 0.0.0.0/0 to 10.0.190.0/24 keep state (if-bound) pass out on enc0 inet from 10.0.190.0/24 to 0.0.0.0/0 keep state (if-bound) ... 2. But all the client's system traffic from all the internal services and local LAN's should be routed to virtual vether0 10.0.190.1 GW 10.0.190.1 by setting $ext_if = vehter0 in PF's global settings and leave all the working PF rules previously configured untouched as shown below: ... match out on $ext_if from {lo0, $lans} to any nat-to $ext_if:0 pass out quick on $ext_if inet proto tcp from $ext_if to any port {http, https} flags S/SA modulate state $webSTO pass out quick on $ext_if inet proto udp from $ext_if to any keep state $bulkSTO ... So network's map should looks like: Server Road warrior OBSD client Remote 4.3.2.2 vio0 em0 1.2.3.4 DHCP by ISP can be under NAT or "clean" IP gateway 4.3.2.1 GW vio0 <=VPN== vether0 10.0.190.1 255.255.255.0 virtual VPN subnet I can't make it working using default route to send/receive whole client's traffic inside VPN tunnel for some reason. Am I right with my assumption to make two default routes in client's routing table with upper priority for vether0 and route-to and reply-to PF directives to connect VPN tru em0 default route? Any samples, working configurations or advises will be highly appreciated. $ ipsecctl -sa FLOWS: flow ipcomp in proto udp from 0.0.0.0/0 to 10.0.190.0/24 peer 4.3.2.2 srcid FQDN/client.vpn dstid FQDN/srv.vpn type use flow esp in proto ipencap from 4.3.2.2 to 1.2.3.4 peer 4.3.2.2 srcid FQDN/client.vpn dstid FQDN/srv.vpn type use flow esp in proto ipcomp from 4.3.2.2 to 1.2.3.4 peer 4.3.2.2 srcid FQDN/client.vpn dstid FQDN/srv.vpn type use flow esp out proto ipencap from 1.2.3.4 to 4.3.2.2 peer 4.3.2.2 srcid FQDN/client.vpn dstid FQDN/srv.vpn type require flow esp out proto ipcomp from 1.2.3.4 to 4.3.2.2 peer 4.3.2.2 srcid FQDN/client.vpn dstid FQDN/srv.vpn type require flow ipcomp out proto udp from 10.0.190.0/24 to 0.0.0.0/0 peer 4.3.2.2 srcid FQDN/client.vpn dstid FQDN/srv.vpn type require flow esp out from ::/0 to ::/0 type deny SAD: ipcomp tunnel from 1.2.3.4 to 4.3.2.2 spi 0x000043ee comp deflate ipcomp tunnel from 4.3.2.2 to 1.2.3.4 spi 0x00005ff0 comp deflate esp transport from 1.2.3.5 to 4.3.2.2 spi 0x486b9b22 auth sha1 enc aes-256 esp transport from 4.3.2.2 to 1.2.3.4 spi 0xfb978ef5 auth sha1 enc aes-256 $ netstat -r (before changing vether0 routing priority) Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 1.2.3.4 UGS 11 1234 - 8 em0 default 10.0.190.1 UGS 0 5678 - 9 vether0 ... $ cat /etc/hostname.vether0 up 10.0.190.1 255.255.255.0 !route add -priority 7 default 10.0.190.1 $ sh /etc/netstart vether0 $ netstat -r (after changing vether0 routing priority) Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 10.0.190.1 UGS 0 5678 - 7 vether0 default 1.2.3.4 UGS 11 1234 - 8 em0 ... $ cat /etc/iked.conf # client side config gw_ip = "em0" ikev2 "pki-client" active ipcomp esp proto udp \ from 10.0.190.0/24 to 0.0.0.0/0 \ peer 4.3.2.2 \ srcid client.vpn dstid srv.vpn \ tag "IKED" \ tap "enc0" $ cat /etc/iked.conf # server side config gw_ip = "vio0" ikev2 "pki-server" passive ipcomp esp proto udp \ local $gw_ip peer any \ srcid srv.vpn \ tag "$name-$id" \ tap "enc0" $ cat /etc/pf.conf # server PF configuration icmp_type = "{echoreq, timex, paramprob, unreach code needfrag}" table <bruteforce> persist sshSTO = "(max 5, source-track rule, max-src-states 10, max-src-nodes 16, \ max-src-conn-rate 3/30, tcp.established 3600, overload <bruteforce> flush global)" set skip on lo set skip on enc0 set reassemble yes set block-policy return set log interface egress match in all scrub (no-df random-id max-mss 1440) match out on egress inet from 10.0.190.0/24 to !10.0.190.0/24 nat-to (egress:0) block in log (all, to pflog0) block in quick from urpf-failed label uRPF block quick from <bruteforce> block return # block stateless traffic pass in quick on egress proto udp from any to self port {isakmp, ipsec-nat-t} keep state pass in quick on egress proto {ah, esp} pass in quick inet proto icmp all icmp-type $icmp_type keep state pass out inet proto icmp all pass in quick on egress inet proto tcp from any to (egress) port ssh flags S/SA modulate state $sshSTO