On Tue, Mar 22, 2022 at 02:38:15AM +0000, Philipp Buehler wrote:
>Am 21.03.2022 19:04 schrieb rea...@catastrophe.net:
>> The flows look correct in the SA table on server-west and traffic leaves
>> on
>> enc0, hits vio0 on server-east as ESP traffic, but then is dropped.
>> Again,
>> only when I also start a ping on server-east (10.254.255.1) to
>> server-west
>> (10.255.255.1) does the original ping session see replies.
>
>Out of balance / asymmetric rule set not generating needed state.
>
[..]
>Check back your actual interfaces (vio0..) for ESP traffic allowance.
>The '@73' and '@58' already indicates a major difference so check for 'pass
>... proto esp'.
Thanks. There are only differences as one side has other rules for
local access (some web server, etc.).
Rules on both sides are:
# server-east
--------------
pass in proto udp from any to self port { isakmp, ipsec-nat-t } keep state
pass out proto udp from any to any port { isakmp, ipsec-nat-t } keep state
pass in proto { esp, ah } from any to vio0 keep state
pass out proto { esp, ah } from vio0 to any keep state
pass on log enc0 keep state (if-bound) tagged VPN.LAX
pass on log enc0 keep state (if-bound)
# server-west
--------------
pass in proto udp from any to self port { isakmp, ipsec-nat-t } keep state
pass out proto udp from any to any port { isakmp, ipsec-nat-t } keep state
pass in proto { esp, ah } from any to em0 keep state
pass out proto { esp, ah } from em0 to any keep state
pass on log enc0 keep state (if-bound) tagged VPN.ORD
pass on log enc0 keep state (if-bound)
