Thanks Marko, but I have found the problem. These rules are under anchor sub-group rules ... Moving these rules to top after "block log all", all it is working ...
Maybe is it a bug with anchor rules? On Wed, Apr 18, 2018 at 3:16 PM, Marko Cupać <marko.cu...@mimar.rs> wrote: > On Wed, 18 Apr 2018 15:01:24 +0200 > "C. L. Martinez" <carlopm...@gmail.com> wrote: > > > Hi all, > > > > I am trying to configure an ipsec tunnel (host-to-host) between two > > hosts that go through an openbsd firewall. Tunnel is established, but > > when I try to, for example, connect via ssh from one host to the > > other, pf blocks traffic: > > > > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > > > To do some tests, I have configured the following rules: > > > > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state > > (if-bound) > > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state > > (if-bound) > > > > Any idea? > > Hard to say without complete ruleset, but from what I see here, your > rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0, > while no other rule after that (or one before that with 'quick' > keyword) permits it. > > Check exact line with pfctl -vvsr. Add either dafault 'pass out' > somewhere below (I prefer it at the end of my ruleset, as I have so far > never blocked out stuff I already passed in), or pass out exact traffic > you need, eg: > > pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2 > > Hope this helps, > > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ >
