Re: ikev2 All incoming/outgoing traffic over IPsec?
Not sure I quite understand this setup. Why redirect over port 9222 on the client—can’t you just do “pass in … rdr-to 192.168.6.1 port ssh” on the server? That said, I do believe you’ll need NAT on the server, because it’s now masquerading its own 192.168.5.0/24 network as well as the 192.168.6.0/24 network of the client. // Johan > On May 21, 2018, at 05:11, Deniswrote: > > I can successful ping both sides of IPsec tunnel: > > server$ ping -I 192.168.5.1 192.168.6.1 > 64 bytes from 192.168.6.1 icpm_seq... > > client$ ping -I 192.158.6.1 192.168.5.1 > 64 bytes from 192.168.6.1 icpm_seq...\ > > tcpdump -en -i pflog0 > shows nothing about blocked traffic while connecting by "external machine" > > I tried to do external connection to server's public IP (a.b.c.d) and > redirect this connection by PF trough IPsec tunnel to client's IPsec IP: > 192.168.6.1. Then client's PF rules redirect connection from server's > IPsec IP: 192.168.5.1 to a client's 127.0.0.1 and must reply to external > machine from a.b.c.d > > My test conditions: > > external machine > #ssh -p 9922 to a.b.c.d > | > | > server's public IP is a.b.c.d > PF rule: > pass in quick on a.b.c.d inet proto tcp from any to (a.b.c.d) \ > port 9922 rdr-to 192.168.6.1 queue (ssh_bulk, ssh_login) > || > || > IPsec tunnel (working): > srv IP: 192.168.5.1 > clnt IP: 192.168.6.1 > || > || > client's PF rule: > pass in quick on enc0 inet proto tcp from any to any port 9922 rdr-to > lo0 port 22 modulate state > > Incoming packets from "external machine" with SSH client seems to be > redirected to client's 127.0.0.1 port 22, but client not replied to a > "externa machine". > > It seems I have to implement NAT rule for IPsec or what? > > Please advise. > > Denis > > > On 5/15/2018 5:12 AM, Johan Hattne wrote: >> I don’t know that outgoing traffic from lo is expected to go through the >> tunnel. If you’re doing these tests with ping, does e.g. >> >> server$ ping -I 192.168.6.1 192.168.5.1 >> >> yield the expected results? I’d expect ping responses, and tcpdump on the >> enc interfaces on both sides to show both the request and the response. >> >> // Johan >> >>> On May 14, 2018, at 07:34, Denis wrote: >>> >>> I have added to /etc/pf.conf: >>> >>> $ipsec_if = "axen0" >>> $ipsec_remote_lan = "192.168.5.0/24" >>> >>> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan >>> >>> but outgoing traffic from client's lo0 is blocked anyway: >>> >>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S 776927979:776927979(0) ack 896868769 win 16384 >> >>> Denis >>> >>> On 5/14/2018 2:17 PM, Denis wrote: Incoming connections to client's IP (192.168.6.1) is established and seems redirected to lo0:port, but outgoing connection from client's lo0 to a server's IP (192.168.5.1) is blocked according to # tcpdump -en -i pflog0 output: ... rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S 776927979:776927979(0) ack 896868769 win 16384 >>> ... Do I need to add a NAT rule to have reply passed to server's source IP (192.168.5.1) or what? Thanks. Denis On 5/13/2018 7:12 PM, Johan Hattne wrote: > Nah, sorry, I misread your rules—on second look, I don’t see what’s gone > wrong. What about logging blocked packets > > block log (all, to pflog0) > > in pf.conf and dumping it > > # tcpdump -en -i pflog0 > > while doing what you expect should work? > > // Johan > >> On May 13, 2018, at 02:15, Denis wrote: >> >> Johan, >> >> Do I have to remove these two rules or modify them by removing ipencap? >> >> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >> keep state (if-bound) >> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >> keep state (if-bound) >> >> On 5/12/2018 10:11 AM, Johan Hattne wrote: >>> On May 11, 2018, at 06:21, Denis wrote: Hello, I have working ikev2 tunnel between two virtual aliased subnets. But no traffic over IPsec tunnel from $ext_if on server machine to $ext_if on client machine and vice-versa. Both machines are using in production and firewalled by PF. # cat /etc/hostname.em1 ### server $ext_if dhcp alias 192.168.5.1 255.255.255.0 | | IPsec
Re: ikev2 All incoming/outgoing traffic over IPsec?
I can successful ping both sides of IPsec tunnel: server$ ping -I 192.168.5.1 192.168.6.1 64 bytes from 192.168.6.1 icpm_seq... client$ ping -I 192.158.6.1 192.168.5.1 64 bytes from 192.168.6.1 icpm_seq...\ tcpdump -en -i pflog0 shows nothing about blocked traffic while connecting by "external machine" I tried to do external connection to server's public IP (a.b.c.d) and redirect this connection by PF trough IPsec tunnel to client's IPsec IP: 192.168.6.1. Then client's PF rules redirect connection from server's IPsec IP: 192.168.5.1 to a client's 127.0.0.1 and must reply to external machine from a.b.c.d My test conditions: external machine #ssh -p 9922 to a.b.c.d | | server's public IP is a.b.c.d PF rule: pass in quick on a.b.c.d inet proto tcp from any to (a.b.c.d) \ port 9922 rdr-to 192.168.6.1 queue (ssh_bulk, ssh_login) || || IPsec tunnel (working): srv IP: 192.168.5.1 clnt IP: 192.168.6.1 || || client's PF rule: pass in quick on enc0 inet proto tcp from any to any port 9922 rdr-to lo0 port 22 modulate state Incoming packets from "external machine" with SSH client seems to be redirected to client's 127.0.0.1 port 22, but client not replied to a "externa machine". It seems I have to implement NAT rule for IPsec or what? Please advise. Denis On 5/15/2018 5:12 AM, Johan Hattne wrote: > I don’t know that outgoing traffic from lo is expected to go through the > tunnel. If you’re doing these tests with ping, does e.g. > > server$ ping -I 192.168.6.1 192.168.5.1 > > yield the expected results? I’d expect ping responses, and tcpdump on the > enc interfaces on both sides to show both the request and the response. > > // Johan > >> On May 14, 2018, at 07:34, Deniswrote: >> >> I have added to /etc/pf.conf: >> >> $ipsec_if = "axen0" >> $ipsec_remote_lan = "192.168.5.0/24" >> >> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan >> >> but outgoing traffic from client's lo0 is blocked anyway: >> >> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >>> 776927979:776927979(0) ack 896868769 win 16384 > >> Denis >> >> On 5/14/2018 2:17 PM, Denis wrote: >>> Incoming connections to client's IP (192.168.6.1) is established and >>> seems redirected to lo0:port, but outgoing connection from client's lo0 >>> to a server's IP (192.168.5.1) is blocked according to >>> >>> # tcpdump -en -i pflog0 output: >>> >>> ... >>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >>> 776927979:776927979(0) ack 896868769 win 16384 >> ... >>> >>> Do I need to add a NAT rule to have reply passed to server's source IP >>> (192.168.5.1) or what? >>> >>> Thanks. >>> >>> Denis >>> >>> >>> On 5/13/2018 7:12 PM, Johan Hattne wrote: Nah, sorry, I misread your rules—on second look, I don’t see what’s gone wrong. What about logging blocked packets block log (all, to pflog0) in pf.conf and dumping it # tcpdump -en -i pflog0 while doing what you expect should work? // Johan > On May 13, 2018, at 02:15, Denis wrote: > > Johan, > > Do I have to remove these two rules or modify them by removing ipencap? > > pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ > keep state (if-bound) > pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ > keep state (if-bound) > > On 5/12/2018 10:11 AM, Johan Hattne wrote: >> >>> On May 11, 2018, at 06:21, Denis wrote: >>> >>> Hello, >>> >>> I have working ikev2 tunnel between two virtual aliased subnets. But no >>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >>> client machine and vice-versa. Both machines are using in production and >>> firewalled by PF. >>> >>> >>> # cat /etc/hostname.em1 >>> ### server $ext_if >>> dhcp >>> alias 192.168.5.1 >>> 255.255.255.0 >>> >>> | >>> | IPsec >>> | >>> >>> # cat /etc/hostname.axen0 >>> ### client $ext_if >>> dhcp >>> alias 192.168.6.1 >>> 255.255.255.0 >>> >>> >>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >>> (after IP assigned to both gateways by ISP's dhcp), but no traffic >>> though. >>> >>> server# ping 192.168.6.1 >>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >>> ... >>> clielnt# ping 192.168.5.1 >>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
Re: ikev2 All incoming/outgoing traffic over IPsec?
I don’t know that outgoing traffic from lo is expected to go through the tunnel. If you’re doing these tests with ping, does e.g. server$ ping -I 192.168.6.1 192.168.5.1 yield the expected results? I’d expect ping responses, and tcpdump on the enc interfaces on both sides to show both the request and the response. // Johan > On May 14, 2018, at 07:34, Deniswrote: > > I have added to /etc/pf.conf: > > $ipsec_if = "axen0" > $ipsec_remote_lan = "192.168.5.0/24" > > pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan > > but outgoing traffic from client's lo0 is blocked anyway: > > rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >> 776927979:776927979(0) ack 896868769 win 16384 > Denis > > On 5/14/2018 2:17 PM, Denis wrote: >> Incoming connections to client's IP (192.168.6.1) is established and >> seems redirected to lo0:port, but outgoing connection from client's lo0 >> to a server's IP (192.168.5.1) is blocked according to >> >> # tcpdump -en -i pflog0 output: >> >> ... >> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >> 776927979:776927979(0) ack 896868769 win 16384 > ... >> >> Do I need to add a NAT rule to have reply passed to server's source IP >> (192.168.5.1) or what? >> >> Thanks. >> >> Denis >> >> >> On 5/13/2018 7:12 PM, Johan Hattne wrote: >>> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone >>> wrong. What about logging blocked packets >>> >>> block log (all, to pflog0) >>> >>> in pf.conf and dumping it >>> >>> # tcpdump -en -i pflog0 >>> >>> while doing what you expect should work? >>> >>> // Johan >>> On May 13, 2018, at 02:15, Denis wrote: Johan, Do I have to remove these two rules or modify them by removing ipencap? pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ keep state (if-bound) pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ keep state (if-bound) On 5/12/2018 10:11 AM, Johan Hattne wrote: > >> On May 11, 2018, at 06:21, Denis wrote: >> >> Hello, >> >> I have working ikev2 tunnel between two virtual aliased subnets. But no >> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >> client machine and vice-versa. Both machines are using in production and >> firewalled by PF. >> >> >> # cat /etc/hostname.em1 >> ### server $ext_if >> dhcp >> alias 192.168.5.1 >> 255.255.255.0 >> >>| >>| IPsec >>| >> >> # cat /etc/hostname.axen0 >> ### client $ext_if >> dhcp >> alias 192.168.6.1 >> 255.255.255.0 >> >> >> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >> (after IP assigned to both gateways by ISP's dhcp), but no traffic >> though. >> >> server# ping 192.168.6.1 >> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >> ... >> clielnt# ping 192.168.5.1 >> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >> ... >> >> The final goal is: All incoming traffic on server's $ext_if = "em1" for >> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >> aliased client's IP:192.168.6.1. So client can reply to incoming >> connections to remote server's via IPsec lan. >> >> No routing is needed between server's / client's 'real' private LANs. >> Because of that I've decided to use aliased virtual lans for IPsec >> tunneling. But I'm not sure about correctness of this. >> >> server# cat /etc/iked.conf >> gw_ip = "em1" >> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >> which obtain an address from dhcp >> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >> which obtain an address from dhcp too. >> mode = "passive" >> >> ikev2 "pki-srv" $mode ipcomp esp \ >> from $local_lan to $remote_lan \ >> local $gw_ip peer any \ >> srcid srv-pubkey dstid clnt-pubkey \ >> tag "srv.tld.ipsec" >> tap "enc0" >> >> server# cat /etc/pf.conf >> ... >> ext_if = em1 >> ipsec_if = em1 >> ipsec_enc_if = enc0 >> ipsec_local_lan = "192.168.5.0/24" >> ipsec_remote_lan = "192.168.6.0/24" >> ... >> queue rootq on $ext_if bandwidth 100M max 100M >> queue ipsec parent rootq bandwidth 90M min 70M max 100M >> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >> queue bulk parent rootq bandwidth 10M default >> ... >> block on $ext_if
Re: ikev2 All incoming/outgoing traffic over IPsec?
I have added to /etc/pf.conf: $ipsec_if = "axen0" $ipsec_remote_lan = "192.168.5.0/24" pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan but outgoing traffic from client's lo0 is blocked anyway: rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S > 776927979:776927979(0) ack 896868769 win 16384 Incoming connections to client's IP (192.168.6.1) is established and > seems redirected to lo0:port, but outgoing connection from client's lo0 > to a server's IP (192.168.5.1) is blocked according to > > # tcpdump -en -i pflog0 output: > > ... > rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S > 776927979:776927979(0) ack 896868769 win 16384 ... > > Do I need to add a NAT rule to have reply passed to server's source IP > (192.168.5.1) or what? > > Thanks. > > Denis > > > On 5/13/2018 7:12 PM, Johan Hattne wrote: >> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone >> wrong. What about logging blocked packets >> >> block log (all, to pflog0) >> >> in pf.conf and dumping it >> >> # tcpdump -en -i pflog0 >> >> while doing what you expect should work? >> >> // Johan >> >>> On May 13, 2018, at 02:15, Deniswrote: >>> >>> Johan, >>> >>> Do I have to remove these two rules or modify them by removing ipencap? >>> >>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>> keep state (if-bound) >>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>> keep state (if-bound) >>> >>> On 5/12/2018 10:11 AM, Johan Hattne wrote: > On May 11, 2018, at 06:21, Denis wrote: > > Hello, > > I have working ikev2 tunnel between two virtual aliased subnets. But no > traffic over IPsec tunnel from $ext_if on server machine to $ext_if on > client machine and vice-versa. Both machines are using in production and > firewalled by PF. > > > # cat /etc/hostname.em1 > ### server $ext_if > dhcp > alias 192.168.5.1 > 255.255.255.0 > > | > | IPsec > | > > # cat /etc/hostname.axen0 > ### client $ext_if > dhcp > alias 192.168.6.1 > 255.255.255.0 > > > I can ping each 'end' of IPsec virtual subnets from both side of tunnel > (after IP assigned to both gateways by ISP's dhcp), but no traffic though. > > server# ping 192.168.6.1 > 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms > ... > clielnt# ping 192.168.5.1 > 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms > ... > > The final goal is: All incoming traffic on server's $ext_if = "em1" for > selected ports 25, 443, 465, 993 etc. must be redirected from aliased > server's IP:192.168.5.1 though IPsec tunnel to appropriate services on > aliased client's IP:192.168.6.1. So client can reply to incoming > connections to remote server's via IPsec lan. > > No routing is needed between server's / client's 'real' private LANs. > Because of that I've decided to use aliased virtual lans for IPsec > tunneling. But I'm not sure about correctness of this. > > server# cat /etc/iked.conf > gw_ip = "em1" > local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ > which obtain an address from dhcp > remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ > which obtain an address from dhcp too. > mode= "passive" > > ikev2 "pki-srv" $mode ipcomp esp \ > from $local_lan to $remote_lan \ > local $gw_ip peer any \ > srcid srv-pubkey dstid clnt-pubkey \ > tag "srv.tld.ipsec" > tap "enc0" > > server# cat /etc/pf.conf > ... > ext_if= em1 > ipsec_if = em1 > ipsec_enc_if = enc0 > ipsec_local_lan = "192.168.5.0/24" > ipsec_remote_lan = "192.168.6.0/24" > ... > queue rootq on $ext_if bandwidth 100M max 100M > queue ipsec parent rootq bandwidth 90M min 70M max 100M > queue ipsec_users parent rootq bandwidth 50M min 30M max 60M > queue bulk parent rootq bandwidth 10M default > ... > block on $ext_if all > block on $ipsec_enc_if all > ... > > # --- IPsec > pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ > {isakmp, ipsec-nat-t} > pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ > {isakmp, ipsec-nat-t} keep state > > pass in quick on $ipsec_if proto esp from any to ($ipsec_if) > pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ > keep state set queue ipsec > > pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users > > pass in quick on $ipsec_enc_if proto ipencap from any to
Re: ikev2 All incoming/outgoing traffic over IPsec?
Incoming connections to client's IP (192.168.6.1) is established and seems redirected to lo0:port, but outgoing connection from client's lo0 to a server's IP (192.168.5.1) is blocked according to # tcpdump -en -i pflog0 output: ... rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S 776927979:776927979(0) ack 896868769 win 16384 Nah, sorry, I misread your rules—on second look, I don’t see what’s gone > wrong. What about logging blocked packets > > block log (all, to pflog0) > > in pf.conf and dumping it > > # tcpdump -en -i pflog0 > > while doing what you expect should work? > > // Johan > >> On May 13, 2018, at 02:15, Deniswrote: >> >> Johan, >> >> Do I have to remove these two rules or modify them by removing ipencap? >> >> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >> keep state (if-bound) >> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >> keep state (if-bound) >> >> On 5/12/2018 10:11 AM, Johan Hattne wrote: >>> On May 11, 2018, at 06:21, Denis wrote: Hello, I have working ikev2 tunnel between two virtual aliased subnets. But no traffic over IPsec tunnel from $ext_if on server machine to $ext_if on client machine and vice-versa. Both machines are using in production and firewalled by PF. # cat /etc/hostname.em1 ### server $ext_if dhcp alias 192.168.5.1 255.255.255.0 | | IPsec | # cat /etc/hostname.axen0 ### client $ext_if dhcp alias 192.168.6.1 255.255.255.0 I can ping each 'end' of IPsec virtual subnets from both side of tunnel (after IP assigned to both gateways by ISP's dhcp), but no traffic though. server# ping 192.168.6.1 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms ... clielnt# ping 192.168.5.1 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms ... The final goal is: All incoming traffic on server's $ext_if = "em1" for selected ports 25, 443, 465, 993 etc. must be redirected from aliased server's IP:192.168.5.1 though IPsec tunnel to appropriate services on aliased client's IP:192.168.6.1. So client can reply to incoming connections to remote server's via IPsec lan. No routing is needed between server's / client's 'real' private LANs. Because of that I've decided to use aliased virtual lans for IPsec tunneling. But I'm not sure about correctness of this. server# cat /etc/iked.conf gw_ip= "em1" local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ which obtain an address from dhcp remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ which obtain an address from dhcp too. mode = "passive" ikev2 "pki-srv" $mode ipcomp esp \ from $local_lan to $remote_lan \ local $gw_ip peer any \ srcid srv-pubkey dstid clnt-pubkey \ tag "srv.tld.ipsec" tap "enc0" server# cat /etc/pf.conf ... ext_if = em1 ipsec_if = em1 ipsec_enc_if = enc0 ipsec_local_lan = "192.168.5.0/24" ipsec_remote_lan = "192.168.6.0/24" ... queue rootq on $ext_if bandwidth 100M max 100M queue ipsec parent rootq bandwidth 90M min 70M max 100M queue ipsec_usersparent rootq bandwidth 50M min 30M max 60M queue bulk parent rootq bandwidth 10M default ... block on $ext_if all block on $ipsec_enc_if all ... # --- IPsec pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ {isakmp, ipsec-nat-t} pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ {isakmp, ipsec-nat-t} keep state pass in quick on $ipsec_if proto esp from any to ($ipsec_if) pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ keep state set queue ipsec pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ keep state (if-bound) pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ keep state (if-bound) pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ $ipsec_local_lan keep state (if-bound) pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ $ipsec_remote_lan keep state (if-bound) ... client# cat /etc/iked.conf gw_ip= "axen0" local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ which obtain an address from dhcp remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0
Re: ikev2 All incoming/outgoing traffic over IPsec?
Nah, sorry, I misread your rules—on second look, I don’t see what’s gone wrong. What about logging blocked packets block log (all, to pflog0) in pf.conf and dumping it # tcpdump -en -i pflog0 while doing what you expect should work? // Johan > On May 13, 2018, at 02:15, Deniswrote: > > Johan, > > Do I have to remove these two rules or modify them by removing ipencap? > > pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ > keep state (if-bound) > pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ > keep state (if-bound) > > On 5/12/2018 10:11 AM, Johan Hattne wrote: >> >>> On May 11, 2018, at 06:21, Denis wrote: >>> >>> Hello, >>> >>> I have working ikev2 tunnel between two virtual aliased subnets. But no >>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >>> client machine and vice-versa. Both machines are using in production and >>> firewalled by PF. >>> >>> >>> # cat /etc/hostname.em1 >>> ### server $ext_if >>> dhcp >>> alias 192.168.5.1 >>> 255.255.255.0 >>> >>> | >>> | IPsec >>> | >>> >>> # cat /etc/hostname.axen0 >>> ### client $ext_if >>> dhcp >>> alias 192.168.6.1 >>> 255.255.255.0 >>> >>> >>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >>> (after IP assigned to both gateways by ISP's dhcp), but no traffic though. >>> >>> server# ping 192.168.6.1 >>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >>> ... >>> clielnt# ping 192.168.5.1 >>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >>> ... >>> >>> The final goal is: All incoming traffic on server's $ext_if = "em1" for >>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >>> aliased client's IP:192.168.6.1. So client can reply to incoming >>> connections to remote server's via IPsec lan. >>> >>> No routing is needed between server's / client's 'real' private LANs. >>> Because of that I've decided to use aliased virtual lans for IPsec >>> tunneling. But I'm not sure about correctness of this. >>> >>> server# cat /etc/iked.conf >>> gw_ip = "em1" >>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >>> which obtain an address from dhcp >>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >>> which obtain an address from dhcp too. >>> mode = "passive" >>> >>> ikev2 "pki-srv" $mode ipcomp esp \ >>> from $local_lan to $remote_lan \ >>> local $gw_ip peer any \ >>> srcid srv-pubkey dstid clnt-pubkey \ >>> tag "srv.tld.ipsec" >>> tap "enc0" >>> >>> server# cat /etc/pf.conf >>> ... >>> ext_if = em1 >>> ipsec_if= em1 >>> ipsec_enc_if= enc0 >>> ipsec_local_lan = "192.168.5.0/24" >>> ipsec_remote_lan = "192.168.6.0/24" >>> ... >>> queue rootq on $ext_if bandwidth 100M max 100M >>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>> queue bulkparent rootq bandwidth 10M default >>> ... >>> block on $ext_if all >>> block on $ipsec_enc_if all >>> ... >>> >>> # --- IPsec >>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>> {isakmp, ipsec-nat-t} >>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>> {isakmp, ipsec-nat-t} keep state >>> >>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>> keep state set queue ipsec >>> >>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users >>> >>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>> keep state (if-bound) >>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>> keep state (if-bound) >>> >>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>> $ipsec_local_lan keep state (if-bound) >>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>> $ipsec_remote_lan keep state (if-bound) >>> ... >>> >>> >>> client# cat /etc/iked.conf >>> gw_ip = "axen0" >>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ >>> which obtain an address from dhcp >>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ >>> which obtain an address from dhcp >>> srv_ip= "a.b.c.d" #server's IP each time is the same from ISP's dhcp >>> mode = "active" >>> >>> ikev2 "pki-clnt" $mode ipcomp esp \ >>> from $local_lan to $remote_lan \ >>> local $gw_ip to $srv_ip \ >>> crcid clnt-pubkey dstid srv-pubkey \ >>> tag "clnt.tld.ipsec" >>> tap "em0" >>> >>> client# cat /etc/pf.conf >>> ... >>> ext_if = axen0 >>> ipsec_if= axen0 >>>
Re: ikev2 All incoming/outgoing traffic over IPsec?
Johan, Do I have to remove these two rules or modify them by removing ipencap? pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ keep state (if-bound) pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ keep state (if-bound) On 5/12/2018 10:11 AM, Johan Hattne wrote: > >> On May 11, 2018, at 06:21, Deniswrote: >> >> Hello, >> >> I have working ikev2 tunnel between two virtual aliased subnets. But no >> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >> client machine and vice-versa. Both machines are using in production and >> firewalled by PF. >> >> >> # cat /etc/hostname.em1 >> ### server $ext_if >> dhcp >> alias 192.168.5.1 >> 255.255.255.0 >> >>| >>| IPsec >>| >> >> # cat /etc/hostname.axen0 >> ### client $ext_if >> dhcp >> alias 192.168.6.1 >> 255.255.255.0 >> >> >> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >> (after IP assigned to both gateways by ISP's dhcp), but no traffic though. >> >> server# ping 192.168.6.1 >> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >> ... >> clielnt# ping 192.168.5.1 >> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >> ... >> >> The final goal is: All incoming traffic on server's $ext_if = "em1" for >> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >> aliased client's IP:192.168.6.1. So client can reply to incoming >> connections to remote server's via IPsec lan. >> >> No routing is needed between server's / client's 'real' private LANs. >> Because of that I've decided to use aliased virtual lans for IPsec >> tunneling. But I'm not sure about correctness of this. >> >> server# cat /etc/iked.conf >> gw_ip = "em1" >> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >> which obtain an address from dhcp >> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >> which obtain an address from dhcp too. >> mode = "passive" >> >> ikev2 "pki-srv" $mode ipcomp esp \ >> from $local_lan to $remote_lan \ >> local $gw_ip peer any \ >> srcid srv-pubkey dstid clnt-pubkey \ >> tag "srv.tld.ipsec" >> tap "enc0" >> >> server# cat /etc/pf.conf >> ... >> ext_if = em1 >> ipsec_if = em1 >> ipsec_enc_if = enc0 >> ipsec_local_lan = "192.168.5.0/24" >> ipsec_remote_lan = "192.168.6.0/24" >> ... >> queue rootq on $ext_if bandwidth 100M max 100M >>queue ipsec parent rootq bandwidth 90M min 70M max 100M >>queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>queue bulkparent rootq bandwidth 10M default >> ... >> block on $ext_if all >> block on $ipsec_enc_if all >> ... >> >> # --- IPsec >> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >> {isakmp, ipsec-nat-t} >> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >> {isakmp, ipsec-nat-t} keep state >> >> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >> keep state set queue ipsec >> >> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users >> >> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >> keep state (if-bound) >> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >> keep state (if-bound) >> >> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >> $ipsec_local_lan keep state (if-bound) >> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >> $ipsec_remote_lan keep state (if-bound) >> ... >> >> >> client# cat /etc/iked.conf >> gw_ip = "axen0" >> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ >> which obtain an address from dhcp >> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ >> which obtain an address from dhcp >> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp >> mode = "active" >> >> ikev2 "pki-clnt" $mode ipcomp esp \ >> from $local_lan to $remote_lan \ >> local $gw_ip to $srv_ip \ >> crcid clnt-pubkey dstid srv-pubkey \ >> tag "clnt.tld.ipsec" >> tap "em0" >> >> client# cat /etc/pf.conf >> ... >> ext_if = axen0 >> ipsec_if = axen0 >> ipsec_enc_if = enc0 >> ipsec_local_lan = "192.168.6.0/24" >> ipsec_remote_lan = "192.168.5.0/24" >> ... >> queue rootq on $ext_if bandwidth 100M max 100M >>queue ipsec parent rootq bandwidth 90M min 70M max 100M >>queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>queue bulkparent rootq bandwidth 10M default >> ... >> block on $ext_if all >> block on $ipsec_enc_if all >> ... >> >> # --- IPsec >>
Re: ikev2 All incoming/outgoing traffic over IPsec?
> On May 11, 2018, at 06:21, Deniswrote: > > Hello, > > I have working ikev2 tunnel between two virtual aliased subnets. But no > traffic over IPsec tunnel from $ext_if on server machine to $ext_if on > client machine and vice-versa. Both machines are using in production and > firewalled by PF. > > > # cat /etc/hostname.em1 > ### server $ext_if > dhcp > alias 192.168.5.1 > 255.255.255.0 > > | > | IPsec > | > > # cat /etc/hostname.axen0 > ### client $ext_if > dhcp > alias 192.168.6.1 > 255.255.255.0 > > > I can ping each 'end' of IPsec virtual subnets from both side of tunnel > (after IP assigned to both gateways by ISP's dhcp), but no traffic though. > > server# ping 192.168.6.1 > 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms > ... > clielnt# ping 192.168.5.1 > 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms > ... > > The final goal is: All incoming traffic on server's $ext_if = "em1" for > selected ports 25, 443, 465, 993 etc. must be redirected from aliased > server's IP:192.168.5.1 though IPsec tunnel to appropriate services on > aliased client's IP:192.168.6.1. So client can reply to incoming > connections to remote server's via IPsec lan. > > No routing is needed between server's / client's 'real' private LANs. > Because of that I've decided to use aliased virtual lans for IPsec > tunneling. But I'm not sure about correctness of this. > > server# cat /etc/iked.conf > gw_ip = "em1" > local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ > which obtain an address from dhcp > remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ > which obtain an address from dhcp too. > mode= "passive" > > ikev2 "pki-srv" $mode ipcomp esp \ > from $local_lan to $remote_lan \ > local $gw_ip peer any \ > srcid srv-pubkey dstid clnt-pubkey \ > tag "srv.tld.ipsec" > tap "enc0" > > server# cat /etc/pf.conf > ... > ext_if= em1 > ipsec_if = em1 > ipsec_enc_if = enc0 > ipsec_local_lan = "192.168.5.0/24" > ipsec_remote_lan = "192.168.6.0/24" > ... > queue rootq on $ext_if bandwidth 100M max 100M >queue ipsecparent rootq bandwidth 90M min 70M max 100M >queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >queue bulk parent rootq bandwidth 10M default > ... > block on $ext_if all > block on $ipsec_enc_if all > ... > > # --- IPsec > pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ > {isakmp, ipsec-nat-t} > pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ > {isakmp, ipsec-nat-t} keep state > > pass in quick on $ipsec_if proto esp from any to ($ipsec_if) > pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ > keep state set queue ipsec > > pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users > > pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ > keep state (if-bound) > pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ > keep state (if-bound) > > pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ > $ipsec_local_lan keep state (if-bound) > pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ > $ipsec_remote_lan keep state (if-bound) > ... > > > client# cat /etc/iked.conf > gw_ip = "axen0" > local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ > which obtain an address from dhcp > remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ > which obtain an address from dhcp > srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp > mode= "active" > > ikev2 "pki-clnt" $mode ipcomp esp \ > from $local_lan to $remote_lan \ > local $gw_ip to $srv_ip \ > crcid clnt-pubkey dstid srv-pubkey \ > tag "clnt.tld.ipsec" > tap "em0" > > client# cat /etc/pf.conf > ... > ext_if= axen0 > ipsec_if = axen0 > ipsec_enc_if = enc0 > ipsec_local_lan = "192.168.6.0/24" > ipsec_remote_lan = "192.168.5.0/24" > ... > queue rootq on $ext_if bandwidth 100M max 100M >queue ipsecparent rootq bandwidth 90M min 70M max 100M >queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >queue bulk parent rootq bandwidth 10M default > ... > block on $ext_if all > block on $ipsec_enc_if all > ... > > # --- IPsec > pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ > {isakmp, ipsec-nat-t} > pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ > {isakmp, ipsec-nat-t} keep state > > pass in quick on $ipsec_if proto esp from any to ($ipsec_if) > pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ > keep state set queue ipsec > > pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users > > pass in quick on