Hi,
I've tested IPsec connections in my lab. The setup looks like this:
[cli] <-- vlan10 --> [gw1] <----> [inet] <----> [gw2] <-- vlan20 --> [srv]
========IPsec=========
During the testing I think I've found a flaw in ipsec.conf(5). According
to the man page the esp packets need to be passed on interface sk0:
block on sk0
block on enc0
pass in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
port {500, 4500}
pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
port {500, 4500}
pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
My test setup didn't allow communication between [cli] and [srv]. Checking
the reason on [gw1] using tcpdump -nettti pflog0 shows that esp packets
are blocked by pf on enc0. So I included the interface enc0 in the pass
rules for esp packets. After this the connections work as expected.
As a result of my tests I've created the diff below for ipsec.conf(5). Is
this ok or did I miss something?
Cheers,
Bruno
Index: sbin/ipsecctl/ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.151
diff -u -p -r1.151 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5 9 Dec 2015 21:41:50 -0000 1.151
+++ sbin/ipsecctl/ipsec.conf.5 24 May 2016 08:24:49 -0000
@@ -513,8 +513,8 @@ pass in on sk0 proto udp from 192.168.3
pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e
port {500, 4500}
-pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
-pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
+pass in on {sk0 enc0} proto esp from 192.168.3.2 to 192.168.3.1
+pass out on {sk0 enc0} proto esp from 192.168.3.1 to 192.168.3.2
pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
keep state (if-bound)
