On Thu, May 26, 2016 at 08:41:49AM +0100, Jason McIntyre wrote: > On Tue, May 24, 2016 at 10:53:16AM +0200, Bruno Flueckiger wrote: > > Hi, > > > > I've tested IPsec connections in my lab. The setup looks like this: > > > > [cli] <-- vlan10 --> [gw1] <----> [inet] <----> [gw2] <-- vlan20 --> [srv] > > ========IPsec========= > > i think you should provide more details of your setup first. for > example, ipsec.conf(5) shows pf rules for ipencap but you only provide a > small snippet of your pf.conf. no vlan details. none of your tcpdump > output that leads you to this conclusion. no routing details. > > then keep your fingers crossed. i think most people run for the hills > when they see ipsec mail. > > jmc >
The network config looks like this: vlan10: [cli] .11 <- 10.19.1.0/24 -> .1 [gw1] vlan20: [gw2] .1 <- 10.81.1.0/24 -> .11 [srv] The simulated internet between the gateways is one OpenBSD box which forwards packets between the two subnets 10.0.19.0/24 and 10.0.81.0/24: [gw1] .2 <- 10.0.19.0/24 -> .1 [inet] .1 <- 10.0.81.0/24 -> .2 [gw2] There are no vlans defined for the two subnets between the gateways and the [inet] box. All machines are running OpenBSD 5.9-release on a VMware ESXi 5.5. All network adapters are vmx, each adapter is connected to a vSphere standard switch. There is one vSphere switch for each subnet. None of the switches have physical nics assigned. This is the ipsec.conf on [gw1]: local_ip="10.0.19.2" remote_ip="10.0.81.2" local_net="10.19.1.0/24" remote_net="10.81.1.0/24" ike esp from $local_ip to $remote_ip ike esp from $local_ip to $remote_net ike esp from $local_net to $remote_net This is the pf.conf on [gw1] in the version that blocks ipsec traffic on interface enc0: wan_if="vmx0" local_net="10.19.1.0/24" remote_ip="10.0.81.2" remote_net="10.81.1.0/24" icmp_types="{ echoreq unreach }" ike_ports="{ isakmp ipsec-nat-t }" set block-policy return set skip on lo match in all scrub (no-df random-id reassemble tcp) block log all pass in from (self) pass out on $wan_if from (self) to any keep state pass inet proto icmp all icmp-type $icmp_types keep state pass in on vlan10 inet proto tcp from $local_net to vlan10 port ssh \ keep state (if-bound) # Allow traffic for IPsec tunnel setup pass in on $wan_if proto udp from $remote_ip to $wan_if \ port $ike_ports pass out on $wan_if proto udp from $wan_if to $remote_ip \ port $ike_ports # Allow esp packets between tunnel endpoints pass in on $wan_if proto esp from $remote_ip to $wan_if \ keep state (if-bound) pass out on $wan_if proto esp from $wan_if to $remote_ip \ keep state (if-bound) # Allow encapsulated IP packets pass in on enc0 proto ipencap from $remote_ip to $wan_if \ keep state (if-bound) pass out on enc0 proto ipencap from $wan_if to $remote_ip \ keep state (if-bound) # Allow traffic between the subnets pass in on vlan10 from $local_net to $remote_net keep state pass out on enc0 from $local_net to $remote_net keep state (if-bound) pass in on enc0 from $remote_net to $local_net keep state (if-bound) pass out on vlan10 from $remote_net to $local_net keep state I run tcpdump -nettti pflog0 on [gw1]. Then I try to connect from [cli] to [srv] by running ssh 10.81.1.11. This is the output from tcpdump when using the above pf.conf on [gw1]: tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG May 27 08:27:04.754155 rule 1/(match) block out on enc0: esp 10.0.19.2 > 10.0.81.2 spi 0x621d35d7 seq 8 len 120 May 27 08:27:10.743030 rule 1/(match) block out on enc0: esp 10.0.19.2 > 10.0.81.2 spi 0x621d35d7 seq 9 len 120 May 27 08:27:22.739668 rule 1/(match) block out on enc0: esp 10.0.19.2 > 10.0.81.2 spi 0x621d35d7 seq 10 len 120 May 27 08:27:46.732233 rule 1/(match) block out on enc0: esp 10.0.19.2 > 10.0.81.2 spi 0x621d35d7 seq 11 len 120 This made me include the interface enc0 in the two rules for esp packets. After this the connection works as expected. That made me write the patch. If something is unclear in my description of even more details are needed I'm happy to provide those. Cheers, Bruno