Trouble with OpenSMTPD - always getting 550 Invalid recipient

[Implausibility]

Hi.

I'm trying to build an OpenSMPTD mail server for the first time to replace my 
aging Postfix box.

No matter who I address inbound eMails to (local users or aliases), I always 
get 550: Invalid recipient in response on the sending server and in 
/var/log/maillog.  I've tried more than a dozen configs, and I can't get past 
this problem.

Domain anonymized for my comfort, but DNS is configured correctly.  I've tried 
to comment everything possible -- if my comment and configs don't match, please 
let me know where I've gone astray!

Here's my entire smtpd.conf file:

# Random global options
queue compression # Compress data in the queue
max-message-size 25M
expire 7d

# Cryptographic Keys and Certificates
pki mydomain.email certificate "/etc/ssl/mydomain.crt"
pki mydomain.email key "/etc/ssl/private/mydomain.key"
pki mydomain.email dhe auto 

# Define tables 
table blacklist file:/etc/mail/blacklist  # Blacklist of irritating IPs
table whitelist file:/etc/mail/whitelist  # Whitelist for misconfigured IPs
table aliases   file:/etc/mail/aliases# Aliases accepted for delivery
table account   file:/etc/mail/account# Virtual mail accounts
table domains   file:/etc/mail/domains# Domains to accept mail for
table users file:/etc/mail/users  # User names with their own mailboxes
table password  file:/etc/mail/password   # Passwords for users


# Allow specific users to send messages as specific eMail addresses
#table senders file:/etc/mail/senders

# Configure interface & standards - add 'verify' to tls-require in the future.
listen on egress tls-require hostname mydomain.email
listen on egress smtps hostname mydomain.email
listen on egress port submission tls-require auth 

# Reject troublemakers
reject from source 

# Add other filters here?  

# Accept from "whitelisted" IPs that are slightly misconfigured 
accept from source 

# Receive eMails to addresses in the aliases table.
accept from any for domain  alias  deliver to mbox

# Receive eMails to addresses in the virtual account table.
accept from any for domain  virtual  deliver to mbox

# Receive eMails for local users
accept from any for local deliver to mbox

# Forward incoming eMails (from authenticated users) to their destination.
accept for any relay


The messages from my existing postfix server:

Apr 18 23:31:08 sybil postfix/smtp[71679]: 55462205F0CD9: 
to=, relay=mydomain.email[98.76.54.32]:25, delay=2, 
delays=0.01/0.06/1.9/0.05, dsn=5.0.0, status=bounced (host 
mydomain.email[98.76.54.32] said: 550 Invalid recipient (in reply to RCPT TO 
command))
Apr 18 23:31:08 sybil postfix/smtp[71679]: 55462205F0CD9: 
to=, relay=mydomain.email[98.76.54.32]:25, delay=2, 
delays=0.01/0.06/1.9/0.06, dsn=5.0.0, status=bounced (host 
mydomain.email[98.76.54.32] said: 550 Invalid recipient (in reply to RCPT TO 
command))

And the messages from /var/log/maillog:

Apr 19 03:31:06 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=connected 
address=12.34.56.78 host=olddomain.com
Apr 19 03:31:08 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=starttls 
address=12.34.56.78 host=olddomain.com ciphers="version=TLSv1, 
cipher=DHE-RSA-AES256-SHA, bits=256"
Apr 19 03:31:08 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=failed-command 
address=12.34.56.78 host=olddomain.com command="RCPT TO: 
ORCPT=rfc822;user1@mydomain.email" result="550 Invalid recipient"
Apr 19 03:31:08 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=failed-command 
address=12.34.56.78 host=olddomain.com command="RCPT 
TO: ORCPT=rfc822;webmaster@mydomain.email" 
result="550 Invalid recipient"
Apr 19 03:31:08 leclerc smtpd[6384]: 8d44a173e36ff947 smtp event=closed 
address=12.34.56.78 host=olddomain.com reason=quit

Any assistance and insight would be greatly appreciated, as well as some 
information on how OpenSMTPD treats local users different from aliases and 
virtual accounts.

Thanks.

Android (MTP) with OpenBSD: Tiny success story

[IL Ka]

I just connected my Android device to OpenBSD, and since
I did not find any article on this subject, I want to share my experience.

OpenBSD supports USB Mass Storage Device  (used in usb drives)
with umass(4).

But Android uses MTP (file-level protocol, not block-level like umass),
So OpenBSD launched ugen(4) to give user-space tools access
to some unknown USB device.

I installed ``simple-mtpfs`` package that uses fuse (user-space fs).

$ mtp-connect
$ simple-mtpfs /mnt

and it worked! You only need to be sure that your screen is unlocked.
For some reason my Android does not allow to connect to it.

There is also ``devel/adb`` port to debug and install .apk, but
I haven't tried it yet.

Re: Virtualbox vs latest snapshot

[David Higgs]

On Tue, Apr 10, 2018 at 6:50 PM, Stuart Henderson 
wrote:

> On 2018-04-10, csszep  wrote:
> > Hi!
> >
> > I installed the latest 04.10 snapshot, the install procedure went fine,
> but
> > after reboot the VM stucks at endless boot loop .
> >
> > It prints only the "booting hda0:/bsd" line.. before reboot
> >
> > The 04.03 snapshot works fine.
> >
> > There is a similar experience for someone with Virtualbox 5.2.8?
> >
>
> There's a recent bootloader problem, possibly following the update
> to clang 6, that affects some machines. I suspect this might be
> involved here.
>
> To confirm if this is the problem, can you install the older
> snapshot as normal, then update kernel and file sets to the newer
> one? (follow the "Upgrade without the install kernel" steps on
> http://www.openbsd.org/faq/upgrade63.html, except skip the part
> about running installboot do install a new bootloader).
>
> Can you report back either way please (preferably to bugs@, with
> dmesg and anything special about the VM config).. If it is the
> same thing it would be useful for developers to have a way to
> reproduce the problem that doesn't involve specific hardware..
>
>
FWIW, I noticed that the latest snapshot installed BOOT 3.39, which booted
kernels in VirtualBox just fine for me.

Thanks again.

--david

Re: dmesg for edgerouter lite

[jungle boogie]

Thus said Sean Murphy on Fri, 13 Apr 2018 22:03:48 -0400

Hello all,

Also upgraded the ERL to 6.3, dmesg to follow.



You might enjoy this post:
https://www.undeadly.org/cgi?action=article;sid=20180418073437

my first experience of growfs

[Tuyosi T]

hi all .

i found a very nice page ( http://fuguita.org/index.php?BBS%2F3 ) .

so i follow it , then i manage to clone HDD1 to HDD2 ( fdisk , disklabel &
growfs )

1) HDD1 < HDD2

2) dd HDD1 to HDD2 (by archlinux)

3) power on HDD2

boot bsd.rd
fdisk -e sd0 -> edit 3
disklabel -E sd0 -> b -> c a
fsck -fy /dev/rsd0a
growfs /dev/rsd0a
/dev/rsd0a
reboot

detail is on http://openbsd-akita.blogspot.jp/2018/04/growfs.html
but there may be some mistake , please point out them .
---
regards

Re: Capturing ddb output when "boot reboot" fails

[Rodney Polkinghorne]

Thanks Stuart.

> Try "call cpu_reset".

That made the machine reboot cleanly.  Afterwards, dmesg and
dmesg.boot had captured both the 6.3 boot and the 6.3 reboot, but the
ddb session in between was missing.  Is there a ddb command that
flushes the session log to the message buffer?

> Or take photos and please transcribe the most
> important bits - at least the panic / crash string and function names
> from 'trace' - it's a lot quicker to figure out who needs to see it
> if those are available in plaintext in the email.

(==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d"
uvm_fault(0xd0c10110, 0xd44fa000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at  _rb_min+0x12:   movl0(%edx),%esi

ddb{0}> trace
_rb_min(d09c33a8,d1127004) at _rb_min+0x12
uvm_pmr_get1page(1,0,f5ea0798,0,0,0) at uvm_pmr_get1page+0x105
uvm_pmr_getpages(1,0,0,1,0,1,2,f5ea0798) at uvm_pmr_getpages+0x1a3
uvm_pagealloc(d610d630,4000,0,0) at uvm_pagealloc+0x155
uvn_get(d610d630,4000,0,f5ea0854,f5ea085c,0,4,0) at uvn_get+0xbc
uvm_fault(d6513310,fa97000,0,4) at uvm_fault+0xaf6
trap() at trap+0x602
--- trap(number -2107169536) ---
end of kernel
0x14:
ddb{0}>

Rodney

DRM and IOCTL missing requests

[robert.d...@yahoo.fr]

Hello,
OpenBSD doesn't implement some ioctl requests for drm devices, ie DRM_PRIME_*. 
Are there any (and surely obvious) reasons for that ?
Nonetheless, is it possible to patch the libdrm headers to keep them undefine, 
that way it would lead to straightforward errors, instead of having only a 
errno pointing out an invalid argument. Of course, some functions will drop 
too, but it would be much safer.
Finally, are there any way to implement it (hints to do so) ?
Thanks

Re: thank you for 6.3

[Alfredo “Fred” Vogel]

Hi, I am running 6.3 on my diy PC as a desktop and it just works! Thanks 
from me to all openBSD developers...


On 18 April 2018 19:15:02 Scott Bonds  wrote:


Under 6.2 my laptop would hang a few hours after waking from sleep, and
it was my own damn fault for running an unsupported config (Lenovo x200
+ coreboot + SeaBIOS). But after upgrading to 6.3 I haven't been able to
get it to hang and I find myself back in 'it just works' land which is
so, so nice. So nice.

I don't know who to thank, and maybe the dev that fixed my issue
wouldn't know *they* fixed it, but...thank you.

No place for "wsfontload" and "wsconscfg" in rc?

[IL Ka]

Hello,

It may sound silly: nobody use console these days (except emergency),
but I am curious:
I want to load font and set it using wsconsctl display.font
I also want to change display type.

I can do all of that in rc.local, but there is a separeate place for
wsconsctl :
/etc/wsconsctl.conf

I want to use it, but I can't set font.display there because it is called
by rc, hence before  rc.local, before my font loaded.

And there is no place for wsconscfg except rc.local.

In NetBSD they solved it by having separate file
for all wscons* stuff
https://www.daemon-systems.org/man/wscons.conf.5.html
In FreeBSD they set everything in rc.conf

And OpenBSD has:
1) /etc/kbdtype for kbd
(its weird because I can use keyboard.ecnoding in /etc/wsconsctl.conf)
2) /etc/wsconsctl.conf
(for everything else exception font loading and virtual display management)

So, there is no place for fonts.
And there is no place for wsconscfg
(if I want to creareate display changing its type I should set it to
rc.local)

I like NetBSD approach here, and it seems that it can be implemented
using simple ksh or perl script.

One may say that is it too complicated: why create
separate config file for something that could be done with 3 lines in
rc.local.

But then why do we have  /etc/kbdtype and  /etc/wsconsctl.conf ?

Ilya

thank you for 6.3

[Scott Bonds]

Under 6.2 my laptop would hang a few hours after waking from sleep, and 
it was my own damn fault for running an unsupported config (Lenovo x200 
+ coreboot + SeaBIOS). But after upgrading to 6.3 I haven't been able to 
get it to hang and I find myself back in 'it just works' land which is 
so, so nice. So nice.


I don't know who to thank, and maybe the dev that fixed my issue 
wouldn't know *they* fixed it, but...thank you.

Re: NFS server down, again, and again, and again...

[Ryan Freeman]

On Wed, Apr 18, 2018 at 01:08:01PM -0400, Rupert Gallagher wrote:
> This is all I managed to retrieve from the logs (/var/log/daemons, 
> /var/log/messages):
> 
> Mar 12 09:27:20 server mountd[50607]: Socket disconnected
> Mar 29 18:05:30 server mountd[52162]: Socket disconnected
> Apr 16 12:04:07 server mountd[66430]: Socket disconnected
> Apr 17 17:55:26 server mountd[14081]: Socket disconnected
> 
> No messages from nfsd and portmap.
> 
> If the logs are true, then mountd is the daemon that is causing problems.
> 
> The manual says
> 
> > -d  Enable debugging mode.  mountd will not detach from the
> >controlling terminal and will print debugging messages to stderr.
> 
> The above option does not work, because it detaches from the terminal:
> 
> > > doas /sbin/mountd -d
> > Here we go.
>

This is how it works when your system is normal:
$ doas touch /etc/exports
$ doas mountd -d
Here we go.
Getting export list.
unexporting / /
unexporting /home /home
unexporting /tmp /tmp
unexporting /usr /usr
unexporting /usr/X11R6 /usr/X11R6
unexporting /usr/local /usr/local
unexporting /usr/obj /usr/obj
unexporting /usr/ports /usr/ports
unexporting /usr/src /usr/src
unexporting /var /var
unexporting /tmpfs /tmpfs
Getting mount list.
* waiting here in foreground *
 
> I tried "mountd_flags=-d" in rc.conf.local, and rebooted the whole OS, 
> because mountd refuses soft restart. As a result, the OS refuses to boot. 
> System crashed.

On this point, ``rcctl restart mountd'' works fine.  Restarting mountd
will not harm things already mounted, they will already be handled by one
of the running nfsd processes.

Also, ``pkill -1 mountd'' tends to work fine as well.  You can verify this
when you adjust /etc/exports by using ``showmount -e'', making a new or
removing an exports entry, SIGHUP the mountd process, and check showmount
again.

I have never needed to reboot just to reload/restart mountd.

You may want to revisit how you set these machines up, as it is likely
that cognitive bias from your 30+ years of experience is making you miss
something simple.

> 
> On 18 April 2018 2:47 AM, IL Ka  wrote:
> 
> > You could use ktrace(1) to trace all calls and then use kdump(1) to read 
> > them, and may help you to find what cause it to die, but it may be tricky 
> > for anyone except nfsd developer..
> > You can also try to find person who supports it by looking at last commits 
> > to:
> > https://github.com/openbsd/src/blame/master/sbin/nfsd/nfsd.c
> > and email this person, but I do not know if it will help, or talk to people 
> > on bugs@ list.
> >
> > Or you can move to samba/smbd: SMB must have good support in Windows.
> >
> > On Wed, Apr 18, 2018 at 2:53 AM, Rupert Gallagher  
> > wrote:
> >
> >>> Do you mean nfsd server dies?
> >>
> >> I mean the NFS service as delivered by nfsd, portmap and mountd.
> >>
> >>> Does it provide core dump?
> >>
> >> No!
> >>
> >>> You do not need to restart it
> >> manually: just create script that checks for server existence (like 
> >> ``/etc/rc.d/nfsd check``) and run it if it is dead.
> >> I usually prepare my servers from source with custom patches and settings. 
> >> When a server dies on me, it makes a lot of noise in the logs, and it 
> >> happens rarely. In 30+ years of activity, I have never restarted a 
> >> production server because of clients using it!
> >>
> >> NFS is an exception. I am using the obsd default, and it dies on me under 
> >> load and without logs. It is unreliable.

Re: NFS server down, again, and again, and again...

[Rupert Gallagher]

This is all I managed to retrieve from the logs (/var/log/daemons, 
/var/log/messages):

Mar 12 09:27:20 server mountd[50607]: Socket disconnected
Mar 29 18:05:30 server mountd[52162]: Socket disconnected
Apr 16 12:04:07 server mountd[66430]: Socket disconnected
Apr 17 17:55:26 server mountd[14081]: Socket disconnected

No messages from nfsd and portmap.

If the logs are true, then mountd is the daemon that is causing problems.

The manual says

> -d  Enable debugging mode.  mountd will not detach from the
>controlling terminal and will print debugging messages to stderr.

The above option does not work, because it detaches from the terminal:

> > doas /sbin/mountd -d
> Here we go.

I tried "mountd_flags=-d" in rc.conf.local, and rebooted the whole OS, because 
mountd refuses soft restart. As a result, the OS refuses to boot. System 
crashed.

On 18 April 2018 2:47 AM, IL Ka  wrote:

> You could use ktrace(1) to trace all calls and then use kdump(1) to read 
> them, and may help you to find what cause it to die, but it may be tricky for 
> anyone except nfsd developer..
> You can also try to find person who supports it by looking at last commits to:
> https://github.com/openbsd/src/blame/master/sbin/nfsd/nfsd.c
> and email this person, but I do not know if it will help, or talk to people 
> on bugs@ list.
>
> Or you can move to samba/smbd: SMB must have good support in Windows.
>
> On Wed, Apr 18, 2018 at 2:53 AM, Rupert Gallagher  wrote:
>
>>> Do you mean nfsd server dies?
>>
>> I mean the NFS service as delivered by nfsd, portmap and mountd.
>>
>>> Does it provide core dump?
>>
>> No!
>>
>>> You do not need to restart it
>> manually: just create script that checks for server existence (like 
>> ``/etc/rc.d/nfsd check``) and run it if it is dead.
>> I usually prepare my servers from source with custom patches and settings. 
>> When a server dies on me, it makes a lot of noise in the logs, and it 
>> happens rarely. In 30+ years of activity, I have never restarted a 
>> production server because of clients using it!
>>
>> NFS is an exception. I am using the obsd default, and it dies on me under 
>> load and without logs. It is unreliable.

Re: OpenBSD blocks IPsec traffic

[Marko Cupać]

On Wed, 18 Apr 2018 15:45:04 +0200
"C. L. Martinez"  wrote:

> Thanks Marko, but I have found the problem.
> 
> These rules are under anchor sub-group rules ... Moving these rules
> to top after "block log all", all it is working ...

I'm glad you made it work.

> Maybe is it a bug with anchor rules?

I couldn't comment on this, I don't write PF code, just rulesets :)

However, before considering the possibility of a bug, I would first
check if rule order in pf.conf matches output of `pfctl -vvsr'.
ruleset-optimization is by default set to "basic" (read more in
pf.conf(5)), so rule order you see in pf.conf is often not rule
order that you get in pfctl -vvsr.

Happy firewalling,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD blocks IPsec traffic

[C. L. Martinez]

Thanks Marko, but I have found the problem.

These rules are under anchor sub-group rules ... Moving these rules to top
after "block log all", all it is working ...

Maybe is it a bug with anchor rules?

On Wed, Apr 18, 2018 at 3:16 PM, Marko Cupać  wrote:

> On Wed, 18 Apr 2018 15:01:24 +0200
> "C. L. Martinez"  wrote:
>
> > Hi all,
> >
> >  I am trying to configure an ipsec tunnel (host-to-host) between two
> > hosts that go through an openbsd firewall. Tunnel is established, but
> > when I try to, for example, connect via ssh from one host to the
> > other, pf blocks traffic:
> >
> > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> >
> >  To do some tests, I have configured the following rules:
> >
> > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
> > (if-bound)
> > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
> > (if-bound)
> >
> > Any idea?
>
> Hard to say without complete ruleset, but from what I see here, your
> rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0,
> while no other rule after that (or one before that with 'quick'
> keyword) permits it.
>
> Check exact line with pfctl -vvsr. Add either dafault 'pass out'
> somewhere below (I prefer it at the end of my ruleset, as I have so far
> never blocked out stuff I already passed in), or pass out exact traffic
> you need, eg:
>
> pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2
>
> Hope this helps,
>
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>

Re: OpenBSD blocks IPsec traffic

[Marko Cupać]

On Wed, 18 Apr 2018 15:01:24 +0200
"C. L. Martinez"  wrote:

> Hi all,
> 
>  I am trying to configure an ipsec tunnel (host-to-host) between two
> hosts that go through an openbsd firewall. Tunnel is established, but
> when I try to, for example, connect via ssh from one host to the
> other, pf blocks traffic:
> 
> Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
> vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF)
> [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> 
>  To do some tests, I have configured the following rules:
> 
> pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
> (if-bound)
> pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
> (if-bound)
> 
> Any idea?

Hard to say without complete ruleset, but from what I see here, your
rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0,
while no other rule after that (or one before that with 'quick'
keyword) permits it.

Check exact line with pfctl -vvsr. Add either dafault 'pass out'
somewhere below (I prefer it at the end of my ruleset, as I have so far
never blocked out stuff I already passed in), or pass out exact traffic
you need, eg:

pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2

Hope this helps,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

OpenBSD blocks IPsec traffic

[C. L. Martinez]

Hi all,

 I am trying to configure an ipsec tunnel (host-to-host) between two hosts
that go through an openbsd firewall. Tunnel is established, but when I try
to, for example, connect via ssh from one host to the other, pf blocks
traffic:

Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)

 To do some tests, I have configured the following rules:

pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
(if-bound)
pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
(if-bound)

Any idea?