Re: ipsec with default route and routing of internal networks

2021-10-05 Thread Hrvoje Popovski 
On 14.9.2021. 13:12, Hrvoje Popovski wrote:
> On 13.9.2021. 15:52, Stuart Henderson wrote:
>> On 2021-09-13, Hrvoje Popovski  wrote:
>>> On 13.9.2021. 14:08, Tom Smyth wrote:
 Can you do  an exception for the ranges ...  so internet - private ips
 you dont want over the tunnel)

 ike esp from 10.90.0.0/24  to any encrypt  
 and 

  10.90.0.0/24  to   NOT  [networks you dont want
 over the tunnel)  ? 

>>>
>>> :) this was the first thought that i've had ... but i couldn't find how
>>> to do it ... at least in man ipsec.conf or isakmpd.conf
>>>
>>>
>>
>> You do this with a "bypass flow" in /etc/ipsec.conf:
>>
>> flow from $network/$prefix to $network/$prefix type bypass
>>
>> and loading it with ipsecctl. Note if you use iked, you cannot configure
>> this directly in iked.conf, but you can still use ipsecctl and ipsec.conf
>> for this purpose in conjunction with iked for tunnel setup.
>>
>>
> 
> Thank you guys ... with "type bypass" everything is working as expected
> 
> c/p from config
> ike esp from 10.90.0.0/24 to any \
> local $localip peer $peerip \
> main auth hmac-sha1 enc aes group modp1024 \
> quick enc aes-128-gcm group modp1024 \
> psk 123
> flow from 10.90.0.0/24 to 10.90.0.0/24 type bypass
> flow from 10.90.0.0/24 to 10.91.0.0/24 type bypass
> flow from 10.90.0.0/24 to 10.92.0.0/24 type bypass
> 

and if you have carp (multicast) than you need
flow from 10.90.0.0/24 to 224.0.0.18/32 type bypass

Re: ipsec with default route and routing of internal networks

2021-09-14 Thread Hrvoje Popovski 
On 13.9.2021. 15:52, Stuart Henderson wrote:
> On 2021-09-13, Hrvoje Popovski  wrote:
>> On 13.9.2021. 14:08, Tom Smyth wrote:
>>> Can you do  an exception for the ranges ...  so internet - private ips
>>> you dont want over the tunnel)
>>>
>>> ike esp from 10.90.0.0/24  to any encrypt  
>>> and 
>>>
>>>  10.90.0.0/24  to   NOT  [networks you dont want
>>> over the tunnel)  ? 
>>>
>>
>> :) this was the first thought that i've had ... but i couldn't find how
>> to do it ... at least in man ipsec.conf or isakmpd.conf
>>
>>
> 
> You do this with a "bypass flow" in /etc/ipsec.conf:
> 
> flow from $network/$prefix to $network/$prefix type bypass
> 
> and loading it with ipsecctl. Note if you use iked, you cannot configure
> this directly in iked.conf, but you can still use ipsecctl and ipsec.conf
> for this purpose in conjunction with iked for tunnel setup.
> 
> 

Thank you guys ... with "type bypass" everything is working as expected

c/p from config
ike esp from 10.90.0.0/24 to any \
local $localip peer $peerip \
main auth hmac-sha1 enc aes group modp1024 \
quick enc aes-128-gcm group modp1024 \
psk 123
flow from 10.90.0.0/24 to 10.90.0.0/24 type bypass
flow from 10.90.0.0/24 to 10.91.0.0/24 type bypass
flow from 10.90.0.0/24 to 10.92.0.0/24 type bypass




ipsecctl -sa | grep 10.9
flow esp in from 0.0.0.0/0 to 10.90.0.0/24 peer $peerip srcid $localip
dstid $peerip type require
flow esp in from 10.90.0.0/24 to 10.90.0.0/24 type bypass
flow esp in from 10.91.0.0/24 to 10.90.0.0/24 type bypass
flow esp in from 10.92.0.0/24 to 10.90.0.0/24 type bypass

flow esp out from 10.90.0.0/24 to 0.0.0.0/0 peer $peerip srcid $localip
dstid $peerip type require
flow esp out from 10.90.0.0/24 to 10.90.0.0/24 type bypass
flow esp out from 10.90.0.0/24 to 10.91.0.0/24 type bypass
flow esp out from 10.90.0.0/24 to 10.92.0.0/24 type bypass

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Stuart Henderson 
On 2021-09-13, Hrvoje Popovski  wrote:
> On 13.9.2021. 14:08, Tom Smyth wrote:
>> Can you do  an exception for the ranges ...  so internet - private ips
>> you dont want over the tunnel)
>> 
>> ike esp from 10.90.0.0/24  to any encrypt  
>> and 
>> 
>>  10.90.0.0/24  to   NOT  [networks you dont want
>> over the tunnel)  ? 
>> 
>
>:) this was the first thought that i've had ... but i couldn't find how
> to do it ... at least in man ipsec.conf or isakmpd.conf
>
>

You do this with a "bypass flow" in /etc/ipsec.conf:

flow from $network/$prefix to $network/$prefix type bypass

and loading it with ipsecctl. Note if you use iked, you cannot configure
this directly in iked.conf, but you can still use ipsecctl and ipsec.conf
for this purpose in conjunction with iked for tunnel setup.

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Hrvoje Popovski 
On 13.9.2021. 14:08, Tom Smyth wrote:
> Can you do  an exception for the ranges ...  so internet - private ips
> you dont want over the tunnel)
> 
> ike esp from 10.90.0.0/24  to any encrypt  
> and 
> 
>  10.90.0.0/24  to   NOT  [networks you dont want
> over the tunnel)  ? 
> 

:) this was the first thought that i've had ... but i couldn't find how
to do it ... at least in man ipsec.conf or isakmpd.conf

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Tom Smyth 
Can you do  an exception for the ranges ...  so internet - private ips you
dont want over the tunnel)

ike esp from 10.90.0.0/24 to any encrypt
and

 10.90.0.0/24 to   NOT  [networks you dont want over the tunnel)  ?

On Mon, 13 Sept 2021 at 13:02, Hrvoje Popovski  wrote:

> Hi,
>
> On 13.9.2021. 12:58, Tom Smyth wrote:
> > Hi Hrvoje,
> >
> > is 10.90.0.0/24  local to your firewall, and if I
> > understand your rule,
> > ike esp from 10.90.0.0/24  to anyyou are
> saying
> > encrypt all traffic comming from 10.90.0.0/24 
> >
> > should the tunnel be more specific ? like
> >
> > from 10.90.0.0/24   to another network across the
> > tunnel
> >
>
> 10.90/24 is my local internal network, as other networks (10.91/24,
> 10.92/24).
> i need "ike esp from 10.90.0.0/24 to any"... because hosts on that
> network need to go out to internet over ipsec tunnel ... but at the same
> time hosts in that 10.90/24 network needs to communicate to other
> internal networks...
>


-- 
Kindest regards,
Tom Smyth.

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Hrvoje Popovski 
Hi,

On 13.9.2021. 12:58, Tom Smyth wrote:
> Hi Hrvoje, 
> 
> is 10.90.0.0/24  local to your firewall, and if I
> understand your rule,
> ike esp from 10.90.0.0/24  to any    you are saying  
> encrypt all traffic comming from 10.90.0.0/24  
> 
> should the tunnel be more specific ? like 
> 
> from 10.90.0.0/24   to another network across the
> tunnel  
> 

10.90/24 is my local internal network, as other networks (10.91/24,
10.92/24).
i need "ike esp from 10.90.0.0/24 to any"... because hosts on that
network need to go out to internet over ipsec tunnel ... but at the same
time hosts in that 10.90/24 network needs to communicate to other
internal networks...

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Tom Smyth 
Hi Hrvoje,

is 10.90.0.0/24 local to your firewall, and if I understand your rule,
ike esp from 10.90.0.0/24 to anyyou are saying
encrypt all traffic comming from 10.90.0.0/24

should the tunnel be more specific ? like

from 10.90.0.0/24  to another network across the tunnel

ike esp from 10.90.0.0/24 to  {list of private network ranges that are
across the tunnel}

(remove any and replace with specific subnets to be routed across the Ipsec
tunnel)

without a diagram I cant help much more...


On Mon, 13 Sept 2021 at 11:36, Hrvoje Popovski  wrote:

> Hi all,
>
> I have a firewall that routes few internal networks, 10.90/24, 10.91/24,
> 10.92/24. And i have some static routes to other firewalls, but i don't
> think that is relevant to this problem.
>
> For network 10.90/24 i have ipsec tunnel, and i need to push any traffic
> from that network to the internet, but not to local networks,
> over that ipsec tunnel.
>
> something like this:
> ike esp from 10.90.0.0/24 to any
>
> I thought that the routing table will take care of that, but i seems
> that when ipsec tunnel is up, i can't connect from local networks
> (10.91/24, 10.92/24) to 10.90/24 and I can't even ping hosts on the
> 10.90/24 network ...
> something like this ping -I 10.90.0.1 10.90.0.8 ...
> traffic from 10.90/24 to the internet is working just fine ..
>
> I need to make network 10.90/24 reachable to all local networks.
> Could someone please point me in the right direction on what to look and
> configure?
>
> Thank you ..
>
>

-- 
Kindest regards,
Tom Smyth.