Hello Kim,
> Could you post your pf.conf?
My VPN_server's(A.B.C.77/23) pf.conf is:
(1)
$ cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id max-mss 1310)
match out on egress from lan:network to any nat-to egress
#match out on egress from enc0:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types
I also tested my setup with this:
(2)
$ pfctl -s rules
pass all flags S/SA
and this:
(3)
$ pfctl -d
pfctl: pf not enabled
For (1), (2) and (3) VPN is working just fine with Win7_warrior and
puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if
warrior has public IP or it is behind NAT). The rest of the world fails to
connect the VPN_server.
> How do you connect to networks !A.B.C.0/23
> Is your IPSec connection NATed?
!A.B.C.0/23 I mean:
A.B.F.0/24 - tested both: public IP and behind router/NAT, warrior: Win7_warrior
1.2.3.119 - tested both: public IP and behind router/NAT, warrior: Win7_warrior
and puffy_warrior
GSM network - only NATed connections, warrior: Win7_warrior
Some tcpdumps of attempts to connect to VPN_server(pass all flags S/SA):
### Win7_warrior, behind NAT:
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:32:12.794944 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 87afea67c2d6ce65->0000000000000000 msgid: 00000000 len: 528
18:32:13.002417 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 87afea67c2d6ce65->8da1daeaa81e51b2 msgid: 00000000 len: 329
^C
811 packets received by filter
0 packets dropped by kernel
### Win7_warrior, public IP
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:51:25.446238 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 06d0dd81ba2f129d->0000000000000000 msgid: 00000000 len: 528
18:51:25.654428 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 06d0dd81ba2f129d->3e3cf1b1a7a5a3b8 msgid: 00000000 len: 329
^C
292 packets received by filter
0 packets dropped by kernel
### puffy_warrior (pfctl -d), behind NAT
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:45:33.600661 A.B.C.77.22 > 1.2.3.119.49486: . ack 2747766535 win 273 (DF)
18:45:40.562967 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 64755be010cd32d2->0000000000000000 msgid: 00000000 len: 510
18:45:41.927874 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 64755be010cd32d2->2a0fe33c6b9afff8 msgid: 00000000 len: 471
Thanks!
On Mon, 5 Nov 2018 09:27:25 +0100
Kim Zeitler <kim.zeit...@konzept-is.de> wrote:
> Hello Radek,
>
>
> On 11/2/18 10:16 PM, Radek wrote:
> > Thank you for your response,
> >
> > Following your suggestion I removed IP from enc0 and changed iked.conf as
> > below:
> >
> > $ cat /etc/iked.conf
> > dns1 = "8.8.8.8"
> > dns2 = "8.8.4.4"
> > ikev2 "roadWarrior" ipcomp esp \
> > from 0.0.0.0/0 to 0.0.0.0/0 \
> > local A.B.C.77 peer any \
> > srcid
> > "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \
> > config address 10.0.1.0/24 \
> > config netmask 255.255.255.0 \
> > config name-server $dns1 \
> > config name-server $dns2 \
> > config access-server A.B.C.77 \
> > config protected-subnet 0.0.0.0/0 \
> > tag "$id"
> >
> > It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error.
> I know this set-up to be working, as it is currently running here in
> production.
>
>
> >
> > I also tried another scenario: puffy_server <-> puffy_warrior
> > The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN
> > works fine for clients from A.B.C.0/23.
> > Both machines are 6.3/i386.
> Your set-up is still a bit 'unclear', I would rather say you have a
> firewall/routing problem than an IPSec problem. Error 809 means no data
> received.
>
> Could you post your pf.conf?
> How do you connect to networks !A.B.C.0/23
> Is your IPSec connection NATed?
>
> Cheers
> Kim
>
--
radek
