ipsec via strongswan (traffic present but no response)

[Gregory Edigarov]

Hello,

lbld12# uname -a
OpenBSD lbld12.duckdns.org 7.3 GENERIC.MP#1130 amd64

Our current vpn uses user/password authentication, mschapv2. so I am
trying to use strongswan to connect to my workplace.

# ipsec statusall 

Security Associations (1 up, 0 connecting):
       qarea[1]: ESTABLISHED 62 minutes ago, 
178.151.162.44[edigarov]...185.78.xxx.1[vpn.xxx.org]
       qarea[1]: IKEv2 SPIs: 62417f797a2ca675_i* 6db16adc7d9f5355_r, EAP 
reauthentication in 101 minutes
       qarea[1]: IKE proposal: 
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
       qarea{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f07d99fb_i 
0ef2e82a_o
       qarea{2}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i, 67604 bytes_o (806 
pkts, 18s ago), rekeying in 32 minutes
       qarea{2}:   192.168.112.215/32 === 192.168.12.0/22

# pfctl -s st  |grep 185.78 
all udp 178.151.162.44:4500 -> 185.78.235.1:4500       MULTIPLE:MULTIPLE

tcpdump on external physical interface:

12:06:56.040573 185.78.xxx.1.4500 > 178.151.162.44.4500: udpencap: esp spi 
0xf07d99fb seq 812 len 152 [tos 0x8]
12:06:57.037764 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 
0x0ef2e82a seq 812 len 152
12:06:57.044270 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 
0xf07d99fb seq 813 len 152 [tos 0x8]
12:06:58.037795 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 
0x0ef2e82a seq 813 len 152
12:06:58.044250 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 
0xf07d99fb seq 814 len 152 [tos 0x8]
12:06:58.239755 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: isakmp v2.0 
exchange INFORMATIONAL
        cookie: 62417f797a2ca675->6db16adc7d9f5355 msgid: 00000020 len: 160 
(DF) [tos 0x8]
12:06:58.240035 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: isakmp v2.0 
exchange INFORMATIONAL
        cookie: 62417f797a2ca675->6db16adc7d9f5355 msgid: 00000020 len: 80
12:06:59.037758 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 
0x0ef2e82a seq 814 len 152
12:06:59.044223 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 
0xf07d99fb seq 815 len 152 [tos 0x8]
12:07:00.037804 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 
0x0ef2e82a seq 815 len 152
12:07:00.044319 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 
0xf07d99fb seq 816 len 152 [tos 0x8]
12:07:01.037803 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 
0x0ef2e82a seq 816 len 152
12:07:01.044248 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 
0xf07d99fb seq 817 len 152 [tos 0x8]

however, on tunnel interface, that is tun1 there are no responses:

tcpdump: listening on tun1, link-type LOOP
12:08:53.037668 192.168.112.215 > 192.168.12.49: icmp: echo request
12:08:54.037698 192.168.112.215 > 192.168.12.49: icmp: echo request
12:08:55.037682 192.168.112.215 > 192.168.12.49: icmp: echo request
12:08:56.037679 192.168.112.215 > 192.168.12.49: icmp: echo request
12:08:57.037671 192.168.112.215 > 192.168.12.49: icmp: echo request
12:08:58.037683 192.168.112.215 > 192.168.12.49: icmp: echo request
12:08:59.037677 192.168.112.215 > 192.168.12.49: icmp: echo request
12:09:00.037671 192.168.112.215 > 192.168.12.49: icmp: echo request
12:09:01.037690 192.168.112.215 > 192.168.12.49: icmp: echo request
12:09:02.037678 192.168.112.215 > 192.168.12.49: icmp: echo request
12:09:03.037680 192.168.112.215 > 192.168.12.49: icmp: echo request

if I disable pf the picture stays the same. in pf.conf i have:
pass out on tun1 from self to any #nat-to (tun1)
pass out from self to any
pass in on egress proto udp from 185.78.235.1 to (egress) port 4500

# netstat -rn | grep tun1
192.168.12/22      192.168.112.215    US         0       18     -     8 tun1 
192.168.112.215    192.168.112.215    UHl        0        1     -     1 tun1 

What gives?