I have added to /etc/pf.conf: $ipsec_if = "axen0" $ipsec_remote_lan = "192.168.5.0/24"
pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan but outgoing traffic from client's lo0 is blocked anyway: rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S > 776927979:776927979(0) ack 896868769 win 16384 <mss... Denis On 5/14/2018 2:17 PM, Denis wrote: > Incoming connections to client's IP (192.168.6.1) is established and > seems redirected to lo0:port, but outgoing connection from client's lo0 > to a server's IP (192.168.5.1) is blocked according to > > # tcpdump -en -i pflog0 output: > > ... > rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S > 776927979:776927979(0) ack 896868769 win 16384 <mss... > ... > > Do I need to add a NAT rule to have reply passed to server's source IP > (192.168.5.1) or what? > > Thanks. > > Denis > > > On 5/13/2018 7:12 PM, Johan Hattne wrote: >> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone >> wrong. What about logging blocked packets >> >> block log (all, to pflog0) >> >> in pf.conf and dumping it >> >> # tcpdump -en -i pflog0 >> >> while doing what you expect should work? >> >> // Johan >> >>> On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote: >>> >>> Johan, >>> >>> Do I have to remove these two rules or modify them by removing ipencap? >>> >>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>> keep state (if-bound) >>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>> keep state (if-bound) >>> >>> On 5/12/2018 10:11 AM, Johan Hattne wrote: >>>> >>>>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote: >>>>> >>>>> Hello, >>>>> >>>>> I have working ikev2 tunnel between two virtual aliased subnets. But no >>>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on >>>>> client machine and vice-versa. Both machines are using in production and >>>>> firewalled by PF. >>>>> >>>>> ------------------------ >>>>> # cat /etc/hostname.em1 >>>>> ### server $ext_if >>>>> dhcp >>>>> alias 192.168.5.1 >>>>> 255.255.255.0 >>>>> ------------------------ >>>>> | >>>>> | IPsec >>>>> | >>>>> ------------------------ >>>>> # cat /etc/hostname.axen0 >>>>> ### client $ext_if >>>>> dhcp >>>>> alias 192.168.6.1 >>>>> 255.255.255.0 >>>>> ------------------------ >>>>> >>>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel >>>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic though. >>>>> >>>>> server# ping 192.168.6.1 >>>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms >>>>> ... >>>>> clielnt# ping 192.168.5.1 >>>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms >>>>> ... >>>>> >>>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for >>>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased >>>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on >>>>> aliased client's IP:192.168.6.1. So client can reply to incoming >>>>> connections to remote server's via IPsec lan. >>>>> >>>>> No routing is needed between server's / client's 'real' private LANs. >>>>> Because of that I've decided to use aliased virtual lans for IPsec >>>>> tunneling. But I'm not sure about correctness of this. >>>>> >>>>> server# cat /etc/iked.conf >>>>> gw_ip = "em1" >>>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1 \ >>>>> which obtain an address from dhcp >>>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \ >>>>> which obtain an address from dhcp too. >>>>> mode = "passive" >>>>> >>>>> ikev2 "pki-srv" $mode ipcomp esp \ >>>>> from $local_lan to $remote_lan \ >>>>> local $gw_ip peer any \ >>>>> srcid srv-pubkey dstid clnt-pubkey \ >>>>> tag "srv.tld.ipsec" >>>>> tap "enc0" >>>>> >>>>> server# cat /etc/pf.conf >>>>> ... >>>>> ext_if = em1 >>>>> ipsec_if = em1 >>>>> ipsec_enc_if = enc0 >>>>> ipsec_local_lan = "192.168.5.0/24" >>>>> ipsec_remote_lan = "192.168.6.0/24" >>>>> ... >>>>> queue rootq on $ext_if bandwidth 100M max 100M >>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>>>> queue bulk parent rootq bandwidth 10M default >>>>> ... >>>>> block on $ext_if all >>>>> block on $ipsec_enc_if all >>>>> ... >>>>> >>>>> # --- IPsec >>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>>>> {isakmp, ipsec-nat-t} >>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>>>> {isakmp, ipsec-nat-t} keep state >>>>> >>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>>>> keep state set queue ipsec >>>>> >>>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users >>>>> >>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>>> keep state (if-bound) >>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>>> keep state (if-bound) >>>>> >>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>>>> $ipsec_local_lan keep state (if-bound) >>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>>>> $ipsec_remote_lan keep state (if-bound) >>>>> ... >>>>> >>>>> >>>>> client# cat /etc/iked.conf >>>>> gw_ip = "axen0" >>>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \ >>>>> which obtain an address from dhcp >>>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0 \ >>>>> which obtain an address from dhcp >>>>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp >>>>> mode = "active" >>>>> >>>>> ikev2 "pki-clnt" $mode ipcomp esp \ >>>>> from $local_lan to $remote_lan \ >>>>> local $gw_ip to $srv_ip \ >>>>> crcid clnt-pubkey dstid srv-pubkey \ >>>>> tag "clnt.tld.ipsec" >>>>> tap "em0" >>>>> >>>>> client# cat /etc/pf.conf >>>>> ... >>>>> ext_if = axen0 >>>>> ipsec_if = axen0 >>>>> ipsec_enc_if = enc0 >>>>> ipsec_local_lan = "192.168.6.0/24" >>>>> ipsec_remote_lan = "192.168.5.0/24" >>>>> ... >>>>> queue rootq on $ext_if bandwidth 100M max 100M >>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M >>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M >>>>> queue bulk parent rootq bandwidth 10M default >>>>> ... >>>>> block on $ext_if all >>>>> block on $ipsec_enc_if all >>>>> ... >>>>> >>>>> # --- IPsec >>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \ >>>>> {isakmp, ipsec-nat-t} >>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \ >>>>> {isakmp, ipsec-nat-t} keep state >>>>> >>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if) >>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \ >>>>> keep state set queue ipsec >>>>> >>>>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users >>>>> >>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ >>>>> keep state (if-bound) >>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ >>>>> keep state (if-bound) >>>>> >>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \ >>>>> $ipsec_local_lan keep state (if-bound) >>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \ >>>>> $ipsec_remote_lan keep state (if-bound) >>>>> ... >>>>> >>>>> I think it can be something wrong in PF configuration or >>>>> missed/unfinished touching IPsec traffic filtering. >>>>> >>>>> Please advice. >>>> >>>> Do you not need a “proto ipencap” on the last two pass-rules that permit >>>> traffic between your LAN:s? >>>> >>>> // Johan >>>> >>> >> >