Hi there!
The question is how to set default route for all client's (OBSD 6.4 road
warrior) traffic inside IPsec using the same egress.
1. I think VPN traffic should be routed only to em0 1.2.3.4 GW 1.2.3.1 with
DHCP assigned "clean" IP or IP
behind ISPs NAT by setting globally $vpn_if = em0 in PF and use standard IPsec
rules for it like:
...
# isakmpd(8) itself to remote
pass in on $vpn_if inet proto udp from any to ($vpn_if) port {isakmp,
ipsec-nat-t}
pass out on $vpn_if inet proto udp from ($vpn_if) to any port {isakmp,
ipsec-nat-t} keep state
# ESP encapsulated IPsec traffic on $vpn_if
pass in on $vpn_if inet proto esp from any to ($vpn_if)
pass out on $vpn_if inet proto esp from ($vpn_if) to any keep state set queue
ipsec_wan
# IP-in-IP traffic between gateways on enc(4) interface
pass in on enc0 inet proto ipencap from any to ($vpn_if) keep state (if-bound)
pass out on enc0 inet proto ipencap from ($vpn_if) to any keep state (if-bound)
# unencrypted traffic filtering on enc(4) interface
pass in on enc0 inet from 0.0.0.0/0 to 10.0.190.0/24 keep state (if-bound)
pass out on enc0 inet from 10.0.190.0/24 to 0.0.0.0/0 keep state (if-bound)
...
2. But all the client's system traffic from all the internal services and local
LAN's should be routed to
virtual vether0 10.0.190.1 GW 10.0.190.1 by setting $ext_if = vehter0 in PF's
global settings and leave
all the working PF rules previously configured untouched as shown below:
...
match out on $ext_if from {lo0, $lans} to any nat-to $ext_if:0
pass out quick on $ext_if inet proto tcp from $ext_if to any port {http, https}
flags S/SA modulate state $webSTO
pass out quick on $ext_if inet proto udp from $ext_if to any keep state $bulkSTO
...
So network's map should looks like:
Server Road warrior OBSD client
Remote 4.3.2.2 vio0 em0 1.2.3.4 DHCP by ISP can be under
NAT or "clean" IP
gateway 4.3.2.1 GW vio0 <=VPN== vether0 10.0.190.1 255.255.255.0 virtual VPN
subnet
I can't make it working using default route to send/receive whole client's
traffic inside VPN tunnel for some reason.
Am I right with my assumption to make two default routes in client's routing
table with upper priority for
vether0 and route-to and reply-to PF directives to connect VPN tru em0 default
route?
Any samples, working configurations or advises will be highly appreciated.
$ ipsecctl -sa
FLOWS:
flow ipcomp in proto udp from 0.0.0.0/0 to 10.0.190.0/24 peer 4.3.2.2 srcid
FQDN/client.vpn dstid FQDN/srv.vpn type use
flow esp in proto ipencap from 4.3.2.2 to 1.2.3.4 peer 4.3.2.2 srcid
FQDN/client.vpn dstid FQDN/srv.vpn type use
flow esp in proto ipcomp from 4.3.2.2 to 1.2.3.4 peer 4.3.2.2 srcid
FQDN/client.vpn dstid FQDN/srv.vpn type use
flow esp out proto ipencap from 1.2.3.4 to 4.3.2.2 peer 4.3.2.2 srcid
FQDN/client.vpn dstid FQDN/srv.vpn type require
flow esp out proto ipcomp from 1.2.3.4 to 4.3.2.2 peer 4.3.2.2 srcid
FQDN/client.vpn dstid FQDN/srv.vpn type require
flow ipcomp out proto udp from 10.0.190.0/24 to 0.0.0.0/0 peer 4.3.2.2 srcid
FQDN/client.vpn dstid FQDN/srv.vpn type require
flow esp out from ::/0 to ::/0 type deny
SAD:
ipcomp tunnel from 1.2.3.4 to 4.3.2.2 spi 0x000043ee comp deflate
ipcomp tunnel from 4.3.2.2 to 1.2.3.4 spi 0x00005ff0 comp deflate
esp transport from 1.2.3.5 to 4.3.2.2 spi 0x486b9b22 auth sha1 enc aes-256
esp transport from 4.3.2.2 to 1.2.3.4 spi 0xfb978ef5 auth sha1 enc aes-256
$ netstat -r (before changing vether0 routing priority)
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 1.2.3.4 UGS 11 1234 - 8 em0
default 10.0.190.1 UGS 0 5678 - 9 vether0
...
$ cat /etc/hostname.vether0
up
10.0.190.1 255.255.255.0
!route add -priority 7 default 10.0.190.1
$ sh /etc/netstart vether0
$ netstat -r (after changing vether0 routing priority)
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 10.0.190.1 UGS 0 5678 - 7 vether0
default 1.2.3.4 UGS 11 1234 - 8 em0
...
$ cat /etc/iked.conf
# client side config
gw_ip = "em0"
ikev2 "pki-client" active ipcomp esp proto udp \
from 10.0.190.0/24 to 0.0.0.0/0 \
peer 4.3.2.2 \
srcid client.vpn dstid srv.vpn \
tag "IKED" \
tap "enc0"
$ cat /etc/iked.conf
# server side config
gw_ip = "vio0"
ikev2 "pki-server" passive ipcomp esp proto udp \
local $gw_ip peer any \
srcid srv.vpn \
tag "$name-$id" \
tap "enc0"
$ cat /etc/pf.conf
# server PF configuration
icmp_type = "{echoreq, timex, paramprob, unreach code needfrag}"
table <bruteforce> persist
sshSTO = "(max 5, source-track rule, max-src-states 10, max-src-nodes 16, \
max-src-conn-rate 3/30, tcp.established 3600, overload <bruteforce> flush
global)"
set skip on lo
set skip on enc0
set reassemble yes
set block-policy return
set log interface egress
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from 10.0.190.0/24 to !10.0.190.0/24 nat-to (egress:0)
block in log (all, to pflog0)
block in quick from urpf-failed label uRPF
block quick from <bruteforce>
block return # block stateless traffic
pass in quick on egress proto udp from any to self port {isakmp, ipsec-nat-t}
keep state
pass in quick on egress proto {ah, esp}
pass in quick inet proto icmp all icmp-type $icmp_type keep state
pass out inet proto icmp all
pass in quick on egress inet proto tcp from any to (egress) port ssh flags S/SA
modulate state $sshSTO
