problem with site-to-site VPN between local machine and remote LAN (OpenIKED)

Radek Sat, 09 Mar 2019 07:05:33 -0800

Hello,
 
I have a local_machine and testing remote_gateway/NAT with one 
remoteLAN_machine behind it. All the boxes are running OpenBSD. I can log in 
(ssh) to remoteLAN_machine through port forwarded on remote_gateway/NAT.


I'm trying to setup Site-To-Site VPN between local_machine and the remote LAN.
When I set it up (iked) the local_machine can ping (only ping) 
remoteLAN_machine through VPN tunnel. 
I CANNOT log in (ssh) to remoteLAN_machine from local_machine, both through VPN 
and from outside (on gateway's public IP and forwarded port). 
I need to have both ways access to behind_NAT services/boxes. I don't know what 
I'm doing wrong.

Could you shed some light on my problem/configs please?
Thank you!

####
local_machine# cat /etc/iked.conf | grep "^[^#;]"
remote_gw_FW70     =     "240.240.10.70"    
remote_lan_FW70    =     "10.0.100.0/24"
ikev2 quick active esp from egress to $remote_lan_FW70 \
peer $remote_gw_FW70 \
psk "aaa"


####
local_machine# cat /etc/pf.conf | grep "^[^#;]"
set skip on lo
block all
table <vpn_peers> const {240.240.10.96, 240.240.10.70 }
pass out quick on egress proto esp from (egress:0) to <vpn_peers>               
   keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 
4500} keep state
pass  in quick on egress proto esp from <vpn_peers> to (egress:0)               
   keep state
pass  in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 
4500} keep state
pass out quick on trust received-on enc0 keep state
pass out
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild

####
local_machine# ipsecctl -sa
FLOWS:
flow esp in from 10.0.100.0/24 to 240.240.10.69 peer 240.240.10.70 srcid 
FQDN/desk.pk dstid FQDN/fw63 type use
flow esp out from 240.240.10.69 to 10.0.100.0/24 peer 240.240.10.70 srcid 
FQDN/desk.pk dstid FQDN/fw63 type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x3428e2ee auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x4b96dca8 auth 
hmac-sha2-256 enc aes-256


####
remote_gateway/NAT# cat /etc/iked.conf | grep "^[^#;]"
local_lan_FW70     =     "10.0.100.0/24"
remote_desk_RDK    =     "240.240.10.69"
ikev2 quick active esp \
from $local_lan_FW70 to $remote_desk_RDK peer $remote_desk_RDK \
psk "aaa"

####
remote_gateway/NAT# cat /etc/pf.conf | grep "^[^#;]"
sql_soe         = "10.0.100.123"
ssh_port        = "1071"
icmp_types      = "{ echoreq, unreach }"
ssh_soe_int     = "1071"
ssh_soe_ext     = "22123"
set block-policy drop           
set optimization normal 
set ruleset-optimization basic  
set skip on lo
set fingerprints "/dev/null"
antispoof quick for lo0
block all
match out log on egress from vr3:network nat-to egress:0
match in all scrub (no-df random-id)
match out all scrub (no-df random-id) 
table <vpn_peers> const {240.240.10.96, 240.240.10.69 }
pass out quick on egress proto esp from (egress:0) to <vpn_peers>               
   keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 
4500} keep state
pass  in quick on egress proto esp from <vpn_peers> to (egress:0)               
   keep state
pass  in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 
4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp keep state
pass log proto udp keep state
pass in log quick inet proto tcp from any to egress port $ssh_port flags S/SA 
keep state
pass in log quick on egress inet proto tcp from any to egress port $ssh_soe_ext 
rdr-to $sql_soe port $ssh_soe_int keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass log inet proto { tcp, udp, esp } from vr3:network to any keep state 
block in log on ! lo0 proto tcp to port 6000:6010

####
remote_gateway/NAT# ipsecctl -sa
FLOWS:
flow esp in from 240.240.10.69 to 10.0.100.0/24 peer 240.240.10.69 srcid 
FQDN/fw63 dstid FQDN/desk.pk type use
flow esp out from 10.0.100.0/24 to 240.240.10.69 peer 240.240.10.69 srcid 
FQDN/fw63 dstid FQDN/desk.pk type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x09952f16 auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x216a3871 auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x3428e2ee auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x4b96dca8 auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x62c0615a auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x97cc9e5f auth 
hmac-sha2-256 enc aes-256


####
remoteLAN_machine# cat /etc/pf.conf | grep "^[^#;]"
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
pass all




-- 
radek

problem with site-to-site VPN between local machine and remote LAN (OpenIKED)

Reply via email to