Re: ikev2 All incoming/outgoing traffic over IPsec?

2018-05-22 Thread Johan Hattne 
Not sure I quite understand this setup.  Why redirect over port 9222 on the 
client—can’t you just do “pass in … rdr-to 192.168.6.1 port ssh” on the server? 
 That said, I do believe you’ll need NAT on the server, because it’s now 
masquerading its own 192.168.5.0/24 network as well as the 192.168.6.0/24 
network of the client.

// Johan

> On May 21, 2018, at 05:11, Denis  wrote:
> 
> I can successful ping both sides of IPsec tunnel:
> 
> server$ ping -I 192.168.5.1 192.168.6.1
> 64 bytes from 192.168.6.1 icpm_seq...
> 
> client$ ping -I 192.158.6.1 192.168.5.1
> 64 bytes from 192.168.6.1 icpm_seq...\
> 
> tcpdump -en -i pflog0
> shows nothing about blocked traffic while connecting by "external machine"
> 
> I tried to do external connection to server's public IP (a.b.c.d) and
> redirect this connection by PF trough IPsec tunnel to client's IPsec IP:
> 192.168.6.1. Then client's PF rules redirect connection from server's
> IPsec IP: 192.168.5.1 to a client's 127.0.0.1 and must reply to external
> machine from a.b.c.d
> 
> My test conditions:
> 
>   external machine
>   #ssh -p 9922 to a.b.c.d
>   |
>   |
>   server's public IP is a.b.c.d
>   PF rule:
> pass in quick on a.b.c.d inet proto tcp from any to (a.b.c.d) \
> port 9922 rdr-to 192.168.6.1 queue (ssh_bulk, ssh_login)
>   ||
>   ||
>   IPsec tunnel (working):
>   srv IP: 192.168.5.1
>   clnt IP: 192.168.6.1
>   ||
>   ||
>   client's PF rule:
> pass in quick on enc0 inet proto tcp from any to any port 9922 rdr-to
> lo0 port 22 modulate state
> 
> Incoming packets from "external machine" with SSH client seems to be
> redirected to client's 127.0.0.1 port 22, but client not replied to a
> "externa machine".
> 
> It seems I have to implement NAT rule for IPsec or what?
> 
> Please advise.
> 
> Denis
> 
> 
> On 5/15/2018 5:12 AM, Johan Hattne wrote:
>> I don’t know that outgoing traffic from lo is expected to go through the 
>> tunnel.  If you’re doing these tests with ping, does e.g.
>> 
>>  server$ ping -I 192.168.6.1 192.168.5.1
>> 
>> yield the expected results?  I’d expect ping responses, and tcpdump on the 
>> enc interfaces on both sides to show both the request and the response.
>> 
>> // Johan 
>> 
>>> On May 14, 2018, at 07:34, Denis  wrote:
>>> 
>>> I have added to /etc/pf.conf:
>>> 
>>> $ipsec_if = "axen0"
>>> $ipsec_remote_lan = "192.168.5.0/24"
>>> 
>>> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan
>>> 
>>> but outgoing traffic from client's lo0 is blocked anyway:
>>> 
>>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
 776927979:776927979(0) ack 896868769 win 16384 >> 
>>> Denis
>>> 
>>> On 5/14/2018 2:17 PM, Denis wrote:
 Incoming connections to client's IP (192.168.6.1) is established and
 seems redirected to lo0:port, but outgoing connection from client's lo0
 to a server's IP (192.168.5.1) is blocked according to
 
 # tcpdump -en -i pflog0 output:
 
 ...
 rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
 776927979:776927979(0) ack 896868769 win 16384 >>> ...
 
 Do I need to add a NAT rule to have reply passed to server's source IP
 (192.168.5.1) or what?
 
 Thanks.
 
 Denis
 
 
 On 5/13/2018 7:12 PM, Johan Hattne wrote:
> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone 
> wrong.  What about logging blocked packets
> 
> block log (all, to pflog0)
> 
> in pf.conf and dumping it
> 
> # tcpdump -en -i pflog0
> 
> while doing what you expect should work?
> 
> // Johan
> 
>> On May 13, 2018, at 02:15, Denis  wrote:
>> 
>> Johan,
>> 
>> Do I have to remove these two rules or modify them by removing ipencap?
>> 
>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>> keep state (if-bound)
>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>> keep state (if-bound)
>> 
>> On 5/12/2018 10:11 AM, Johan Hattne wrote:
>>> 
 On May 11, 2018, at 06:21, Denis  wrote:
 
 Hello,
 
 I have working ikev2 tunnel between two virtual aliased subnets. But no
 traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
 client machine and vice-versa. Both machines are using in production 
 and
 firewalled by PF.
 
 
 # cat /etc/hostname.em1
 ### server $ext_if
 dhcp
 alias 192.168.5.1
 255.255.255.0
 
  |
  | IPsec

Re: ikev2 All incoming/outgoing traffic over IPsec?

2018-05-21 Thread Denis 
I can successful ping both sides of IPsec tunnel:

server$ ping -I 192.168.5.1 192.168.6.1
64 bytes from 192.168.6.1 icpm_seq...

client$ ping -I 192.158.6.1 192.168.5.1
64 bytes from 192.168.6.1 icpm_seq...\

tcpdump -en -i pflog0
shows nothing about blocked traffic while connecting by "external machine"

I tried to do external connection to server's public IP (a.b.c.d) and
redirect this connection by PF trough IPsec tunnel to client's IPsec IP:
192.168.6.1. Then client's PF rules redirect connection from server's
IPsec IP: 192.168.5.1 to a client's 127.0.0.1 and must reply to external
machine from a.b.c.d

My test conditions:

external machine
#ssh -p 9922 to a.b.c.d
|
|
server's public IP is a.b.c.d
PF rule:
pass in quick on a.b.c.d inet proto tcp from any to (a.b.c.d) \
port 9922 rdr-to 192.168.6.1 queue (ssh_bulk, ssh_login)
||
||
IPsec tunnel (working):
srv IP: 192.168.5.1
clnt IP: 192.168.6.1
||
||
client's PF rule:
pass in quick on enc0 inet proto tcp from any to any port 9922 rdr-to
lo0 port 22 modulate state

Incoming packets from "external machine" with SSH client seems to be
redirected to client's 127.0.0.1 port 22, but client not replied to a
"externa machine".

It seems I have to implement NAT rule for IPsec or what?

Please advise.

Denis


On 5/15/2018 5:12 AM, Johan Hattne wrote:
> I don’t know that outgoing traffic from lo is expected to go through the 
> tunnel.  If you’re doing these tests with ping, does e.g.
> 
>   server$ ping -I 192.168.6.1 192.168.5.1
> 
> yield the expected results?  I’d expect ping responses, and tcpdump on the 
> enc interfaces on both sides to show both the request and the response.
> 
> // Johan 
> 
>> On May 14, 2018, at 07:34, Denis  wrote:
>>
>> I have added to /etc/pf.conf:
>>
>> $ipsec_if = "axen0"
>> $ipsec_remote_lan = "192.168.5.0/24"
>>
>> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan
>>
>> but outgoing traffic from client's lo0 is blocked anyway:
>>
>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>>> 776927979:776927979(0) ack 896868769 win 16384 >
>> Denis
>>
>> On 5/14/2018 2:17 PM, Denis wrote:
>>> Incoming connections to client's IP (192.168.6.1) is established and
>>> seems redirected to lo0:port, but outgoing connection from client's lo0
>>> to a server's IP (192.168.5.1) is blocked according to
>>>
>>> # tcpdump -en -i pflog0 output:
>>>
>>> ...
>>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>>> 776927979:776927979(0) ack 896868769 win 16384 >> ...
>>>
>>> Do I need to add a NAT rule to have reply passed to server's source IP
>>> (192.168.5.1) or what?
>>>
>>> Thanks.
>>>
>>> Denis
>>>
>>>
>>> On 5/13/2018 7:12 PM, Johan Hattne wrote:
 Nah, sorry, I misread your rules—on second look, I don’t see what’s gone 
 wrong.  What about logging blocked packets

  block log (all, to pflog0)

 in pf.conf and dumping it

  # tcpdump -en -i pflog0

 while doing what you expect should work?

 // Johan

> On May 13, 2018, at 02:15, Denis  wrote:
>
> Johan,
>
> Do I have to remove these two rules or modify them by removing ipencap?
>
> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
> keep state (if-bound)
> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
> keep state (if-bound)
>
> On 5/12/2018 10:11 AM, Johan Hattne wrote:
>>
>>> On May 11, 2018, at 06:21, Denis  wrote:
>>>
>>> Hello,
>>>
>>> I have working ikev2 tunnel between two virtual aliased subnets. But no
>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
>>> client machine and vice-versa. Both machines are using in production and
>>> firewalled by PF.
>>>
>>> 
>>> # cat /etc/hostname.em1
>>> ### server $ext_if
>>> dhcp
>>> alias 192.168.5.1
>>> 255.255.255.0
>>> 
>>>   |
>>>   | IPsec
>>>   |
>>> 
>>> # cat /etc/hostname.axen0
>>> ### client $ext_if
>>> dhcp
>>> alias 192.168.6.1
>>> 255.255.255.0
>>> 
>>>
>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic 
>>> though.
>>>
>>> server# ping 192.168.6.1
>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
>>> ...
>>> clielnt# ping 192.168.5.1
>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms

Re: ikev2 All incoming/outgoing traffic over IPsec?

2018-05-14 Thread Johan Hattne 
I don’t know that outgoing traffic from lo is expected to go through the 
tunnel.  If you’re doing these tests with ping, does e.g.

  server$ ping -I 192.168.6.1 192.168.5.1

yield the expected results?  I’d expect ping responses, and tcpdump on the enc 
interfaces on both sides to show both the request and the response.

// Johan 

> On May 14, 2018, at 07:34, Denis  wrote:
> 
> I have added to /etc/pf.conf:
> 
> $ipsec_if = "axen0"
> $ipsec_remote_lan = "192.168.5.0/24"
> 
> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan
> 
> but outgoing traffic from client's lo0 is blocked anyway:
> 
> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>> 776927979:776927979(0) ack 896868769 win 16384  
> Denis
> 
> On 5/14/2018 2:17 PM, Denis wrote:
>> Incoming connections to client's IP (192.168.6.1) is established and
>> seems redirected to lo0:port, but outgoing connection from client's lo0
>> to a server's IP (192.168.5.1) is blocked according to
>> 
>> # tcpdump -en -i pflog0 output:
>> 
>> ...
>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>> 776927979:776927979(0) ack 896868769 win 16384 > ...
>> 
>> Do I need to add a NAT rule to have reply passed to server's source IP
>> (192.168.5.1) or what?
>> 
>> Thanks.
>> 
>> Denis
>> 
>> 
>> On 5/13/2018 7:12 PM, Johan Hattne wrote:
>>> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone 
>>> wrong.  What about logging blocked packets
>>> 
>>>  block log (all, to pflog0)
>>> 
>>> in pf.conf and dumping it
>>> 
>>>  # tcpdump -en -i pflog0
>>> 
>>> while doing what you expect should work?
>>> 
>>> // Johan
>>> 
 On May 13, 2018, at 02:15, Denis  wrote:
 
 Johan,
 
 Do I have to remove these two rules or modify them by removing ipencap?
 
 pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
 keep state (if-bound)
 pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
 keep state (if-bound)
 
 On 5/12/2018 10:11 AM, Johan Hattne wrote:
> 
>> On May 11, 2018, at 06:21, Denis  wrote:
>> 
>> Hello,
>> 
>> I have working ikev2 tunnel between two virtual aliased subnets. But no
>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
>> client machine and vice-versa. Both machines are using in production and
>> firewalled by PF.
>> 
>> 
>> # cat /etc/hostname.em1
>> ### server $ext_if
>> dhcp
>> alias 192.168.5.1
>> 255.255.255.0
>> 
>>|
>>| IPsec
>>|
>> 
>> # cat /etc/hostname.axen0
>> ### client $ext_if
>> dhcp
>> alias 192.168.6.1
>> 255.255.255.0
>> 
>> 
>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
>> (after IP assigned to both gateways by ISP's dhcp), but no traffic 
>> though.
>> 
>> server# ping 192.168.6.1
>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
>> ...
>> clielnt# ping 192.168.5.1
>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
>> ...
>> 
>> The final goal is: All incoming traffic on server's $ext_if = "em1" for
>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
>> aliased client's IP:192.168.6.1. So client can reply to incoming
>> connections to remote server's via IPsec lan.
>> 
>> No routing is needed between server's / client's 'real' private LANs.
>> Because of that I've decided to use aliased virtual lans for IPsec
>> tunneling. But I'm not sure about correctness of this.
>> 
>> server# cat /etc/iked.conf
>> gw_ip  = "em1"
>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
>> which obtain an address from dhcp
>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
>> which obtain an address from dhcp too.
>> mode   = "passive"
>> 
>> ikev2 "pki-srv" $mode ipcomp esp \
>>  from $local_lan to $remote_lan \
>>  local $gw_ip peer any \
>>  srcid srv-pubkey dstid clnt-pubkey \
>>  tag "srv.tld.ipsec"
>>  tap "enc0"
>> 
>> server# cat /etc/pf.conf
>> ...
>> ext_if   = em1
>> ipsec_if = em1
>> ipsec_enc_if = enc0
>> ipsec_local_lan = "192.168.5.0/24"
>> ipsec_remote_lan = "192.168.6.0/24"
>> ...
>> queue rootq on $ext_if bandwidth 100M max 100M
>>  queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>  queue ipsec_users   parent rootq bandwidth 50M min 30M max 60M
>>  queue bulk  parent rootq bandwidth 10M default
>> ...
>> block on $ext_if

Re: ikev2 All incoming/outgoing traffic over IPsec?

2018-05-14 Thread Denis 
I have added to /etc/pf.conf:

$ipsec_if = "axen0"
$ipsec_remote_lan = "192.168.5.0/24"

pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan

but outgoing traffic from client's lo0 is blocked anyway:

rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
> 776927979:776927979(0) ack 896868769 win 16384  Incoming connections to client's IP (192.168.6.1) is established and
> seems redirected to lo0:port, but outgoing connection from client's lo0
> to a server's IP (192.168.5.1) is blocked according to
> 
> # tcpdump -en -i pflog0 output:
> 
> ...
> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
> 776927979:776927979(0) ack 896868769 win 16384  ...
> 
> Do I need to add a NAT rule to have reply passed to server's source IP
> (192.168.5.1) or what?
> 
> Thanks.
> 
> Denis
> 
> 
> On 5/13/2018 7:12 PM, Johan Hattne wrote:
>> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone 
>> wrong.  What about logging blocked packets
>>
>>   block log (all, to pflog0)
>>
>> in pf.conf and dumping it
>>
>>   # tcpdump -en -i pflog0
>>
>> while doing what you expect should work?
>>
>> // Johan
>>
>>> On May 13, 2018, at 02:15, Denis  wrote:
>>>
>>> Johan,
>>>
>>> Do I have to remove these two rules or modify them by removing ipencap?
>>>
>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>> keep state (if-bound)
>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>> keep state (if-bound)
>>>
>>> On 5/12/2018 10:11 AM, Johan Hattne wrote:

> On May 11, 2018, at 06:21, Denis  wrote:
>
> Hello,
>
> I have working ikev2 tunnel between two virtual aliased subnets. But no
> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
> client machine and vice-versa. Both machines are using in production and
> firewalled by PF.
>
> 
> # cat /etc/hostname.em1
> ### server $ext_if
> dhcp
> alias 192.168.5.1
> 255.255.255.0
> 
> |
> | IPsec
> |
> 
> # cat /etc/hostname.axen0
> ### client $ext_if
> dhcp
> alias 192.168.6.1
> 255.255.255.0
> 
>
> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
> (after IP assigned to both gateways by ISP's dhcp), but no traffic though.
>
> server# ping 192.168.6.1
> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
> ...
> clielnt# ping 192.168.5.1
> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
> ...
>
> The final goal is: All incoming traffic on server's $ext_if = "em1" for
> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
> aliased client's IP:192.168.6.1. So client can reply to incoming
> connections to remote server's via IPsec lan.
>
> No routing is needed between server's / client's 'real' private LANs.
> Because of that I've decided to use aliased virtual lans for IPsec
> tunneling. But I'm not sure about correctness of this.
>
> server# cat /etc/iked.conf
> gw_ip   = "em1"
> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
> which obtain an address from dhcp
> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
> which obtain an address from dhcp too.
> mode= "passive"
>
> ikev2 "pki-srv" $mode ipcomp esp \
>   from $local_lan to $remote_lan \
>   local $gw_ip peer any \
>   srcid srv-pubkey dstid clnt-pubkey \
>   tag "srv.tld.ipsec"
>   tap "enc0"
>
> server# cat /etc/pf.conf
> ...
> ext_if= em1
> ipsec_if  = em1
> ipsec_enc_if  = enc0
> ipsec_local_lan = "192.168.5.0/24"
> ipsec_remote_lan = "192.168.6.0/24"
> ...
> queue rootq on $ext_if bandwidth 100M max 100M
>   queue ipsec parent rootq bandwidth 90M min 70M max 100M
>   queue ipsec_users   parent rootq bandwidth 50M min 30M max 60M
>   queue bulk  parent rootq bandwidth 10M default
> ...
> block on $ext_if all
> block on $ipsec_enc_if all
> ...
>
> # --- IPsec
> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
> {isakmp, ipsec-nat-t}
> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
> {isakmp, ipsec-nat-t} keep state
>
> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
> keep state set queue ipsec
>
> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
>
> pass in quick on $ipsec_enc_if proto ipencap from any to

Re: ikev2 All incoming/outgoing traffic over IPsec?

2018-05-14 Thread Denis 
Incoming connections to client's IP (192.168.6.1) is established and
seems redirected to lo0:port, but outgoing connection from client's lo0
to a server's IP (192.168.5.1) is blocked according to

# tcpdump -en -i pflog0 output:

...
rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
776927979:776927979(0) ack 896868769 win 16384  Nah, sorry, I misread your rules—on second look, I don’t see what’s gone 
> wrong.  What about logging blocked packets
> 
>   block log (all, to pflog0)
> 
> in pf.conf and dumping it
> 
>   # tcpdump -en -i pflog0
> 
> while doing what you expect should work?
> 
> // Johan
> 
>> On May 13, 2018, at 02:15, Denis  wrote:
>>
>> Johan,
>>
>> Do I have to remove these two rules or modify them by removing ipencap?
>>
>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>> keep state (if-bound)
>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>> keep state (if-bound)
>>
>> On 5/12/2018 10:11 AM, Johan Hattne wrote:
>>>
 On May 11, 2018, at 06:21, Denis  wrote:

 Hello,

 I have working ikev2 tunnel between two virtual aliased subnets. But no
 traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
 client machine and vice-versa. Both machines are using in production and
 firewalled by PF.

 
 # cat /etc/hostname.em1
 ### server $ext_if
 dhcp
 alias 192.168.5.1
 255.255.255.0
 
  |
  | IPsec
  |
 
 # cat /etc/hostname.axen0
 ### client $ext_if
 dhcp
 alias 192.168.6.1
 255.255.255.0
 

 I can ping each 'end' of IPsec virtual subnets from both side of tunnel
 (after IP assigned to both gateways by ISP's dhcp), but no traffic though.

 server# ping 192.168.6.1
 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
 ...
 clielnt# ping 192.168.5.1
 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
 ...

 The final goal is: All incoming traffic on server's $ext_if = "em1" for
 selected ports 25, 443, 465, 993 etc. must be redirected from aliased
 server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
 aliased client's IP:192.168.6.1. So client can reply to incoming
 connections to remote server's via IPsec lan.

 No routing is needed between server's / client's 'real' private LANs.
 Because of that I've decided to use aliased virtual lans for IPsec
 tunneling. But I'm not sure about correctness of this.

 server# cat /etc/iked.conf
 gw_ip= "em1"
 local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
 which obtain an address from dhcp
 remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
 which obtain an address from dhcp too.
 mode = "passive"

 ikev2 "pki-srv" $mode ipcomp esp \
from $local_lan to $remote_lan \
local $gw_ip peer any \
srcid srv-pubkey dstid clnt-pubkey \
tag "srv.tld.ipsec"
tap "enc0"

 server# cat /etc/pf.conf
 ...
 ext_if = em1
 ipsec_if   = em1
 ipsec_enc_if   = enc0
 ipsec_local_lan = "192.168.5.0/24"
 ipsec_remote_lan = "192.168.6.0/24"
 ...
 queue rootq on $ext_if bandwidth 100M max 100M
   queue ipsec  parent rootq bandwidth 90M min 70M max 100M
   queue ipsec_usersparent rootq bandwidth 50M min 30M max 60M
   queue bulk   parent rootq bandwidth 10M default
 ...
 block on $ext_if all
 block on $ipsec_enc_if all
 ...

 # --- IPsec
 pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
 {isakmp, ipsec-nat-t}
 pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
 {isakmp, ipsec-nat-t} keep state

 pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
 pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
 keep state set queue ipsec

 pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users

 pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
 keep state (if-bound)
 pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
 keep state (if-bound)

 pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
 $ipsec_local_lan keep state (if-bound)
 pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
 $ipsec_remote_lan keep state (if-bound)
 ...


 client# cat /etc/iked.conf
 gw_ip= "axen0"
 local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
 which obtain an address from dhcp
 remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0

Re: ikev2 All incoming/outgoing traffic over IPsec?

2018-05-13 Thread Johan Hattne 
Nah, sorry, I misread your rules—on second look, I don’t see what’s gone wrong. 
 What about logging blocked packets

  block log (all, to pflog0)

in pf.conf and dumping it

  # tcpdump -en -i pflog0

while doing what you expect should work?

// Johan

> On May 13, 2018, at 02:15, Denis  wrote:
> 
> Johan,
> 
> Do I have to remove these two rules or modify them by removing ipencap?
> 
> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
> keep state (if-bound)
> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
> keep state (if-bound)
> 
> On 5/12/2018 10:11 AM, Johan Hattne wrote:
>> 
>>> On May 11, 2018, at 06:21, Denis  wrote:
>>> 
>>> Hello,
>>> 
>>> I have working ikev2 tunnel between two virtual aliased subnets. But no
>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
>>> client machine and vice-versa. Both machines are using in production and
>>> firewalled by PF.
>>> 
>>> 
>>> # cat /etc/hostname.em1
>>> ### server $ext_if
>>> dhcp
>>> alias 192.168.5.1
>>> 255.255.255.0
>>> 
>>>   |
>>>   | IPsec
>>>   |
>>> 
>>> # cat /etc/hostname.axen0
>>> ### client $ext_if
>>> dhcp
>>> alias 192.168.6.1
>>> 255.255.255.0
>>> 
>>> 
>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic though.
>>> 
>>> server# ping 192.168.6.1
>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
>>> ...
>>> clielnt# ping 192.168.5.1
>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
>>> ...
>>> 
>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for
>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
>>> aliased client's IP:192.168.6.1. So client can reply to incoming
>>> connections to remote server's via IPsec lan.
>>> 
>>> No routing is needed between server's / client's 'real' private LANs.
>>> Because of that I've decided to use aliased virtual lans for IPsec
>>> tunneling. But I'm not sure about correctness of this.
>>> 
>>> server# cat /etc/iked.conf
>>> gw_ip = "em1"
>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
>>> which obtain an address from dhcp
>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
>>> which obtain an address from dhcp too.
>>> mode  = "passive"
>>> 
>>> ikev2 "pki-srv" $mode ipcomp esp \
>>> from $local_lan to $remote_lan \
>>> local $gw_ip peer any \
>>> srcid srv-pubkey dstid clnt-pubkey \
>>> tag "srv.tld.ipsec"
>>> tap "enc0"
>>> 
>>> server# cat /etc/pf.conf
>>> ...
>>> ext_if  = em1
>>> ipsec_if= em1
>>> ipsec_enc_if= enc0
>>> ipsec_local_lan = "192.168.5.0/24"
>>> ipsec_remote_lan = "192.168.6.0/24"
>>> ...
>>> queue rootq on $ext_if bandwidth 100M max 100M
>>>   queue ipsec   parent rootq bandwidth 90M min 70M max 100M
>>>   queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>>   queue bulkparent rootq bandwidth 10M default
>>> ...
>>> block on $ext_if all
>>> block on $ipsec_enc_if all
>>> ...
>>> 
>>> # --- IPsec
>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>> {isakmp, ipsec-nat-t}
>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>> {isakmp, ipsec-nat-t} keep state
>>> 
>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>> keep state set queue ipsec
>>> 
>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
>>> 
>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>> keep state (if-bound)
>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>> keep state (if-bound)
>>> 
>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>> $ipsec_local_lan keep state (if-bound)
>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>> $ipsec_remote_lan keep state (if-bound)
>>> ...
>>> 
>>> 
>>> client# cat /etc/iked.conf
>>> gw_ip = "axen0"
>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
>>> which obtain an address from dhcp
>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \
>>> which obtain an address from dhcp
>>> srv_ip= "a.b.c.d" #server's IP each time is the same from ISP's dhcp
>>> mode  = "active"
>>> 
>>> ikev2 "pki-clnt" $mode ipcomp esp \
>>> from $local_lan to $remote_lan \
>>> local $gw_ip to $srv_ip \
>>> crcid clnt-pubkey dstid srv-pubkey \
>>> tag "clnt.tld.ipsec"
>>> tap "em0"
>>> 
>>> client# cat /etc/pf.conf
>>> ...
>>> ext_if  = axen0
>>> ipsec_if= axen0
>>>

Re: ikev2 All incoming/outgoing traffic over IPsec?

2018-05-13 Thread Denis 
Johan,

Do I have to remove these two rules or modify them by removing ipencap?

pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
keep state (if-bound)
pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
keep state (if-bound)

On 5/12/2018 10:11 AM, Johan Hattne wrote:
> 
>> On May 11, 2018, at 06:21, Denis  wrote:
>>
>> Hello,
>>
>> I have working ikev2 tunnel between two virtual aliased subnets. But no
>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
>> client machine and vice-versa. Both machines are using in production and
>> firewalled by PF.
>>
>> 
>> # cat /etc/hostname.em1
>> ### server $ext_if
>> dhcp
>> alias 192.168.5.1
>> 255.255.255.0
>> 
>>|
>>| IPsec
>>|
>> 
>> # cat /etc/hostname.axen0
>> ### client $ext_if
>> dhcp
>> alias 192.168.6.1
>> 255.255.255.0
>> 
>>
>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
>> (after IP assigned to both gateways by ISP's dhcp), but no traffic though.
>>
>> server# ping 192.168.6.1
>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
>> ...
>> clielnt# ping 192.168.5.1
>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
>> ...
>>
>> The final goal is: All incoming traffic on server's $ext_if = "em1" for
>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
>> aliased client's IP:192.168.6.1. So client can reply to incoming
>> connections to remote server's via IPsec lan.
>>
>> No routing is needed between server's / client's 'real' private LANs.
>> Because of that I've decided to use aliased virtual lans for IPsec
>> tunneling. But I'm not sure about correctness of this.
>>
>> server# cat /etc/iked.conf
>> gw_ip  = "em1"
>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
>> which obtain an address from dhcp
>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
>> which obtain an address from dhcp too.
>> mode   = "passive"
>>
>> ikev2 "pki-srv" $mode ipcomp esp \
>>  from $local_lan to $remote_lan \
>>  local $gw_ip peer any \
>>  srcid srv-pubkey dstid clnt-pubkey \
>>  tag "srv.tld.ipsec"
>>  tap "enc0"
>>
>> server# cat /etc/pf.conf
>> ...
>> ext_if   = em1
>> ipsec_if = em1
>> ipsec_enc_if = enc0
>> ipsec_local_lan = "192.168.5.0/24"
>> ipsec_remote_lan = "192.168.6.0/24"
>> ...
>> queue rootq on $ext_if bandwidth 100M max 100M
>>queue ipsec   parent rootq bandwidth 90M min 70M max 100M
>>queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>queue bulkparent rootq bandwidth 10M default
>> ...
>> block on $ext_if all
>> block on $ipsec_enc_if all
>> ...
>>
>> # --- IPsec
>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>> {isakmp, ipsec-nat-t}
>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>> {isakmp, ipsec-nat-t} keep state
>>
>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>> keep state set queue ipsec
>>
>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
>>
>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>> keep state (if-bound)
>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>> keep state (if-bound)
>>
>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>> $ipsec_local_lan keep state (if-bound)
>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>> $ipsec_remote_lan keep state (if-bound)
>> ...
>>
>>
>> client# cat /etc/iked.conf
>> gw_ip  = "axen0"
>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
>> which obtain an address from dhcp
>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \
>> which obtain an address from dhcp
>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp
>> mode   = "active"
>>
>> ikev2 "pki-clnt" $mode ipcomp esp \
>>  from $local_lan to $remote_lan \
>>  local $gw_ip to $srv_ip \
>>  crcid clnt-pubkey dstid srv-pubkey \
>>  tag "clnt.tld.ipsec"
>>  tap "em0"
>>
>> client# cat /etc/pf.conf
>> ...
>> ext_if   = axen0
>> ipsec_if = axen0
>> ipsec_enc_if = enc0
>> ipsec_local_lan = "192.168.6.0/24"
>> ipsec_remote_lan = "192.168.5.0/24"
>> ...
>> queue rootq on $ext_if bandwidth 100M max 100M
>>queue ipsec   parent rootq bandwidth 90M min 70M max 100M
>>queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>queue bulkparent rootq bandwidth 10M default
>> ...
>> block on $ext_if all
>> block on $ipsec_enc_if all
>> ...
>>
>> # --- IPsec
>>

Re: ikev2 All incoming/outgoing traffic over IPsec?

2018-05-12 Thread Johan Hattne 

> On May 11, 2018, at 06:21, Denis  wrote:
> 
> Hello,
> 
> I have working ikev2 tunnel between two virtual aliased subnets. But no
> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
> client machine and vice-versa. Both machines are using in production and
> firewalled by PF.
> 
> 
> # cat /etc/hostname.em1
> ### server $ext_if
> dhcp
> alias 192.168.5.1
> 255.255.255.0
> 
> |
> | IPsec
> |
> 
> # cat /etc/hostname.axen0
> ### client $ext_if
> dhcp
> alias 192.168.6.1
> 255.255.255.0
> 
> 
> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
> (after IP assigned to both gateways by ISP's dhcp), but no traffic though.
> 
> server# ping 192.168.6.1
> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
> ...
> clielnt# ping 192.168.5.1
> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
> ...
> 
> The final goal is: All incoming traffic on server's $ext_if = "em1" for
> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
> aliased client's IP:192.168.6.1. So client can reply to incoming
> connections to remote server's via IPsec lan.
> 
> No routing is needed between server's / client's 'real' private LANs.
> Because of that I've decided to use aliased virtual lans for IPsec
> tunneling. But I'm not sure about correctness of this.
> 
> server# cat /etc/iked.conf
> gw_ip   = "em1"
> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \
> which obtain an address from dhcp
> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
> which obtain an address from dhcp too.
> mode= "passive"
> 
> ikev2 "pki-srv" $mode ipcomp esp \
>   from $local_lan to $remote_lan \
>   local $gw_ip peer any \
>   srcid srv-pubkey dstid clnt-pubkey \
>   tag "srv.tld.ipsec"
>   tap "enc0"
> 
> server# cat /etc/pf.conf
> ...
> ext_if= em1
> ipsec_if  = em1
> ipsec_enc_if  = enc0
> ipsec_local_lan = "192.168.5.0/24"
> ipsec_remote_lan = "192.168.6.0/24"
> ...
> queue rootq on $ext_if bandwidth 100M max 100M
>queue ipsecparent rootq bandwidth 90M min 70M max 100M
>queue ipsec_users  parent rootq bandwidth 50M min 30M max 60M
>queue bulk parent rootq bandwidth 10M default
> ...
> block on $ext_if all
> block on $ipsec_enc_if all
> ...
> 
> # --- IPsec
> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
> {isakmp, ipsec-nat-t}
> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
> {isakmp, ipsec-nat-t} keep state
> 
> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
> keep state set queue ipsec
> 
> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
> 
> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
> keep state (if-bound)
> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
> keep state (if-bound)
> 
> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
> $ipsec_local_lan keep state (if-bound)
> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
> $ipsec_remote_lan keep state (if-bound)
> ...
> 
> 
> client# cat /etc/iked.conf
> gw_ip   = "axen0"
> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
> which obtain an address from dhcp
> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \
> which obtain an address from dhcp
> srv_ip  = "a.b.c.d" #server's IP each time is the same from ISP's dhcp
> mode= "active"
> 
> ikev2 "pki-clnt" $mode ipcomp esp \
>   from $local_lan to $remote_lan \
>   local $gw_ip to $srv_ip \
>   crcid clnt-pubkey dstid srv-pubkey \
>   tag "clnt.tld.ipsec"
>   tap "em0"
> 
> client# cat /etc/pf.conf
> ...
> ext_if= axen0
> ipsec_if  = axen0
> ipsec_enc_if  = enc0
> ipsec_local_lan = "192.168.6.0/24"
> ipsec_remote_lan = "192.168.5.0/24"
> ...
> queue rootq on $ext_if bandwidth 100M max 100M
>queue ipsecparent rootq bandwidth 90M min 70M max 100M
>queue ipsec_users  parent rootq bandwidth 50M min 30M max 60M
>queue bulk parent rootq bandwidth 10M default
> ...
> block on $ext_if all
> block on $ipsec_enc_if all
> ...
> 
> # --- IPsec
> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
> {isakmp, ipsec-nat-t}
> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
> {isakmp, ipsec-nat-t} keep state
> 
> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
> keep state set queue ipsec
> 
> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users
> 
> pass in quick on