On 2023-06-28, Jiri Navratil <[email protected]> wrote: > Hello, > > I'm trying to build Site-to-site VPN based on "Configuring an IKEv2 Server" > in https://www.openbsd.org/faq/faq17.html > > I see in iked -dv output to terminal (I replaced some parts with dots) > > spi=0x4905............: > established peer ...............:4500[FQDN/.................] > local .............:4500[FQDN/.................] > policy '....._rsa' as responder > (enc aes-128-gcm group curve25519 prf hmac- sha2-256 > > > and > > spi=0x16f.............: > established peer ..............:4500[FQDN/.................] > local ...............:4500[FQDN/.................] > policy '....._rsa' as initiator > (enc aes-128-gcm group curve25519 prf hmac-sha2-256) > > I can't ping from one location to other one. I see from ipsecctl -sa on > responder side FLOWS and SAD expected lines, but there is nothing from
Show your config (mask external IPs if you must but leave the private ones), and show how you test (what commands you typed, on what machines, and what happens - show the actual outout). > nc -u -l 500 > tcpdump -nei pflog0 rnr 35 > > Could you please help me with some answers? > > 1) The FAQ have pf rules for responder only. No rules are needed for > initiator? It depends on your other rules and what traffic you want toallow. In many cases an initiator will have "pass out" or similar already and then often nothing more is needed, but it depends. > 2) The FAQ describe ipsec.conf changes and enabling only in "Connecting > to an IKEv1/L2TP VPN". Nothing is needed in "IKEv2 Site-to-site VPNs"? With a couple of notable exceptions that are probably irrelevant to you (bypass and deny flows), ipsec.conf is just for isakmpd (IKEv1). > 3) The sites I'm configuring are both using PPPoE. One have VLAN and I > see external statical IPv4 on PPPoE, but other site uses NAT 1:1, so I > see private IPv4 on PPPoE, but I have to access it over allocated > external IPv4. I'm not sure, which IP comes where. I switched responder > and initiator, to have responder on site with VLAN, but anyway I'm not > sure, where in pf.conf and /etc/iked.conf use external and where NAT IP. Is the pppoe run on the openbsd machine or a separate router? You will want the 'peer' addresses to be "whatever address you need to connect to, to send packets to that machine". And 'local' addresses, if used, to be the address on the interface on the local machine. > 4) Using enc0 in pf.conf not worked. I had to switch to pppoe. Is that > correct? No rules for enc0 and vlan? Not worked how? Show the config, show what happened. You will need to either pass or skip pf processing of traffic on enc0 one way or another. > 4) I don't see any output from nc and tcdump commands. How I can see, > which pf rule stops ping from other site? *IF* it is being blocked by a PF rule, make sure you have "log" on any block rules, and watch tcpdump -neipflog0. But you might just be trying to ping from an address which does not match a flow sent over the tunnel, in which case it will just be sent over the standard internet connection. (Might be easier to test from another machine on the tunneled subnet rather than the iked box itself). If you're only used to packet forwarding via the route table (which only considers the *destination* address), you won't be familiar with flow- based traffic selectors, which also consider the *source* address (and maybe also port numbers etc, if configured to do so). When using tcpdump, don't just look at interfaces where you expect to see the traffic. Look at others where it might conceivably end up, too. > 5) There is note in FAQ, that Native WireGuard support is also > available. As both IPsec and WireGuard are new to me, may wg(4) be an > option? Yes it's an option, as are openvpn, ssh tun-forwarding, dsvpn, isakmpd, [...] > 6) Any good IPsec reading next to FAQ and man pages? It is a wide subject, you'll need something more targetted than just "good reading on IPsec" to give recommendations. But for iked-to-iked, you can broadly expect things to work, and there are sufficient tools in OpenBSD base to help diagnose what's going wring. -- Please keep replies on the mailing list.
