Nah, sorry, I misread your rules—on second look, I don’t see what’s gone wrong. What about logging blocked packets
block log (all, to pflog0) in pf.conf and dumping it # tcpdump -en -i pflog0 while doing what you expect should work? // Johan > On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote: > > Johan, > > Do I have to remove these two rules or modify them by removing ipencap? > > pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ > keep state (if-bound) > pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ > keep state (if-bound) > > On 5/12/2018 10:11 AM, Johan Hattne wrote: >> >>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote: >>> >>> Hello, >>> >>> I have working ikev2 tunnel between two virtual aliased subnets. But no >>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >>> client machine and vice-versa. Both machines are using in production and >>> firewalled by PF. >>> >>> ------------------------ >>> # cat /etc/hostname.em1 >>> ### server $ext_if >>> dhcp >>> alias 192.168.5.1 >>> 255.255.255.0 >>> ------------------------ >>> | >>> | IPsec >>> | >>> ------------------------ >>> # cat /etc/hostname.axen0 >>> ### client $ext_if >>> dhcp >>> alias 192.168.6.1 >>> 255.255.255.0 >>> ------------------------ >>> >>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >>> (after IP assigned to both gateways by ISP's dhcp), but no traffic though. >>> >>> server# ping 192.168.6.1 >>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >>> ... >>> clielnt# ping 192.168.5.1 >>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >>> ... >>> >>> The final goal is: All incoming traffic on server's $ext_if = "em1" for >>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >>> aliased client's IP:192.168.6.1. So client can reply to incoming >>> connections to remote server's via IPsec lan. >>> >>> No routing is needed between server's / client's 'real' private LANs. >>> Because of that I've decided to use aliased virtual lans for IPsec >>> tunneling. But I'm not sure about correctness of this. >>> >>> server# cat /etc/iked.conf >>> gw_ip = "em1" >>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >>> which obtain an address from dhcp >>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >>> which obtain an address from dhcp too. >>> mode = "passive" >>> >>> ikev2 "pki-srv" $mode ipcomp esp \ >>> from $local_lan to $remote_lan \ >>> local $gw_ip peer any \ >>> srcid srv-pubkey dstid clnt-pubkey \ >>> tag "srv.tld.ipsec" >>> tap "enc0" >>> >>> server# cat /etc/pf.conf >>> ... >>> ext_if = em1 >>> ipsec_if = em1 >>> ipsec_enc_if = enc0 >>> ipsec_local_lan = "192.168.5.0/24" >>> ipsec_remote_lan = "192.168.6.0/24" >>> ... >>> queue rootq on $ext_if bandwidth 100M max 100M >>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>> queue bulk parent rootq bandwidth 10M default >>> ... >>> block on $ext_if all >>> block on $ipsec_enc_if all >>> ... >>> >>> # --- IPsec >>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>> {isakmp, ipsec-nat-t} >>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>> {isakmp, ipsec-nat-t} keep state >>> >>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>> keep state set queue ipsec >>> >>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users >>> >>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>> keep state (if-bound) >>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>> keep state (if-bound) >>> >>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>> $ipsec_local_lan keep state (if-bound) >>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>> $ipsec_remote_lan keep state (if-bound) >>> ... >>> >>> >>> client# cat /etc/iked.conf >>> gw_ip = "axen0" >>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ >>> which obtain an address from dhcp >>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ >>> which obtain an address from dhcp >>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp >>> mode = "active" >>> >>> ikev2 "pki-clnt" $mode ipcomp esp \ >>> from $local_lan to $remote_lan \ >>> local $gw_ip to $srv_ip \ >>> crcid clnt-pubkey dstid srv-pubkey \ >>> tag "clnt.tld.ipsec" >>> tap "em0" >>> >>> client# cat /etc/pf.conf >>> ... >>> ext_if = axen0 >>> ipsec_if = axen0 >>> ipsec_enc_if = enc0 >>> ipsec_local_lan = "192.168.6.0/24" >>> ipsec_remote_lan = "192.168.5.0/24" >>> ... >>> queue rootq on $ext_if bandwidth 100M max 100M >>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>> queue bulk parent rootq bandwidth 10M default >>> ... >>> block on $ext_if all >>> block on $ipsec_enc_if all >>> ... >>> >>> # --- IPsec >>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>> {isakmp, ipsec-nat-t} >>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>> {isakmp, ipsec-nat-t} keep state >>> >>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>> keep state set queue ipsec >>> >>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users >>> >>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>> keep state (if-bound) >>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>> keep state (if-bound) >>> >>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>> $ipsec_local_lan keep state (if-bound) >>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>> $ipsec_remote_lan keep state (if-bound) >>> ... >>> >>> I think it can be something wrong in PF configuration or >>> missed/unfinished touching IPsec traffic filtering. >>> >>> Please advice. >> >> Do you not need a “proto ipencap” on the last two pass-rules that permit >> traffic between your LAN:s? >> >> // Johan >> >