Interesting. I may have a similar problem and was planning to post about
it soon...in my case I've been playing with rdomains, using PF to NAT
between them, and ikedv2. I've found that when I use ikedv2 to layer
IPSEC on top of my NATing traffic between rdomains, TCP passes fine, UDP
does not, though I can see requests and replies moving across enc0 (DNS
requests that show the answer in the tcpdump output). So, host -T
google.com 8.8.8.8 (TCP DNS lookup) works but host google.com 8.8.8.8
(UDP DNS lookup) does not.
On 03/28, Comète wrote:
Hi,
I'm trying to build an IPSEC encrypted tunnel that works as a bridge. For
this, I use isakmpd and etherip, vether, bridge interfaces. On each VPN server
(Host A and B), I've got PF running on the external interface (em2). Both
hosts run OpenBSD 6.0 stable amd64.
Host A is my main server and host B is the
client.
Now the strange part:
- If PF is running on each host (A and B),
UDP queries from B to A network don't work (UDP only, TCP is ok. But I can see
UDP packets with tcpdump going from B to A and coming back but they don't go
out from the interface)
- I disable PF on Host B only with "rcctl disable pf
&& reboot", all is working after reboot, all queries (dns, ntp...) are well
sent from B to A through the VPN. Now, I enable PF again without rebooting
with "pfctl -e && pfctl -f /etc/pf.conf" and it's still working. Then I start
"rcctl enable pf" and reboot, and it doesn't work anymore for UDP queries...
So to resume, if PF is started automatically at boot on host B (rcctl enable
pf) then UDP don't pass but if I start it manually (pfctl -e && pfctl -f
/etc/pf.conf), it works.
I've tried tcpdump -nettti pflog0 during DNS/NTP
queries but I don't see anything blocked. As I said, if I try tcpdump -nettti
em0 I can even see the answer from the DNS server coming back but dig doesn't
get it.
I just don't understand why my UDP packets don't pass, so if you have
a idea, you're welcome ;)
thanks.
This my setup on Host B (Host A is
similar)
ipsec.conf:
-----------
ike active esp proto etherip from $local_gw
to $remote_gw \
main auth "hmac-sha1" enc "aes-128" group modp2048
lifetime 1800 \
quick enc "aes-128-gcm" group modp2048 lifetime 1200 \
srcid $local_gw
ipsecctl -sa
-----------
ipsecctl -sa
FLOWS:
flow esp in
proto etherip from 10.65.12.10 to 10.65.13.10 peer 10.65.12.10 srcid
10.65.13.10/32 dstid 10.65.12.10/32 type use
flow esp out proto etherip from
10.65.13.10 to 10.65.12.10 peer 10.65.12.10 srcid 10.65.13.10/32 dstid
10.65.12.10/32 type require
SAD:
esp tunnel from 10.65.13.10 to 10.65.12.10
spi 0xd5acc570 enc aes-128-gcm
esp tunnel from 10.65.12.10 to 10.65.13.10 spi
0xe19efd9f enc aes-128-gcm
pf.conf:
--------
ext_if = "em2"
int_if =
"internal"
match in all scrub (no-df random-id max-mss 1200)
antispoof for {
$ext_if, $int_if } inet
set skip on { lo, enc, $int_if }
set loginterface
$ext_if
match out on $ext_if from any to any nat-to ($ext_if)
block log all
pass quick on em0
# VPN
pass in on $ext_if proto udp from any to $ext_if port
{ isakmp, ipsec-nat-t }
pass out on $ext_if proto udp from $ext_if to any port
{ isakmp, ipsec-nat-t }
pass in on $ext_if proto esp from any to $ext_if
pass
out on $ext_if proto esp from $ext_if to any
/etc/hostname.bridge0:
----------------------
link2
add etherip0
add vether0
add em0
group "internal"
up
/etc/hostname.etherip0
----------------------
tunnel 10.65.13.10
10.65.12.10
group internal
up
/etc/hostname.vether0
---------------------
inet 10.14.254.35 255.255.0.0 NONE
description "Interconnexion"
group
"internal"
up
/etc/hostname.em0
------------------
up
/etc/hostname.em2
------------------
inet 10.65.13.10 255.255.255.0 NONE
description "Evil
Network"
group "external"
up
!route add -inet 10.65.12.0/24 10.65.13.1
/etc/sysctl.conf
----------------
net.inet.ip.forwarding=1
net.inet.etherip.allow=1
