Hello @misc,
I'm still can't resolve the issue with outgoing connections from OpenBSD
RoadWarrior's LAN clients, but connections from Road Warrior's localhost go tru
VPN as it should be.
Any Ideas what can be wrong in my setup would be highly appreciated.
Martin
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, February 3, 2020 9:03 PM, Martin Got <martin...@protonmail.com>
wrote:
> OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6
> based road warrior -
> client with dynamic IP. VPN works stable even using a link behind ISP NAT
> with ping latency from
> ~750ms to ~1100ms. Hope latency about 1000ms can't be related to the issue
> because all the tests
> with disconnected/connected VPN have been made on the same ISP channel.
>
> Any of the hosts from LAN (192.168.0.0/24) connected to the road warrior can
> reach external Internet
> hosts with disconnected VPN only.
>
> If VPN is connected, no one host from road warrior's LAN can reach any
> internet host.
> But any of LAN host can connect to road warrior's local services listening on
> lo0 even with VPN is
> connected or not.
>
> So I can't ping any Internet host from road warrior's LAN host if VPN is
> connected, but I can ping
> outside Internet hosts from road warriors' localhost itself. In PF ICMP set
> from any to any and ping
> works to any Internet host if VPN is disabled. I think it can't be bound to
> firewall rules, maybe
> timeouts of PF connection states. I'm completely not sure about it.
>
> When VPN is connected, all roadwarrior's LAN traffic is disabled for some
> reason, tcpdump shows
> requests and replies to LAN's host on enc0 but initiator (192.168.0.5) don't
> receive any replies. I
> don't know why?
>
> $ tcpdump -en -i pflog0
> 10:12:43.598785 rule 4/(match) match out on enc0: 10.0.1.2 > 8.8.8.8: icmp:
> echo request
> 10:12.43.598814 rule 563/(match) pass out on enc0: 10.0.1.2 > 8.8.8.8: icmp:
> echo request
> 10.12.44.277267 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5:
> icmp: echo reply
> 10.12.47.277848 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5:
> icmp: echo reply
>
> LAN clients' can reach road warrior's localhost bound services like DNS,
> proxy and it doesn't matter
> if VPN enabled or not, but no any outbound traffic with enabled VPN.
>
> Road warrior client has one NAT in PF to transmit packets from it's local IP
> address when VPN is
> disabled, and second NAT rule to transmit packets when IKEv2 VPN is connected
> like:
>
> $ pf.conf (client)
>
> ---NAT
>
> =======
>
> match out log on enc0 inet all nat-to 10.0.1.2
> match out log on rdomain 0 from {lo0, 192.168.0.0/24} to any nat-to (egress:0)
>
> ---ICMP
>
> ========
>
> pass in log quick on 192.168.0.1 inet proto icmp all icmp-type \
> echoreq, timex, paramprob, unreach code needfrag keep state
> pass out log inet proto icmp all
>
> ---Web
>
> =======
>
> pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
> port {www, https} modulate state
> pass out on enc0 inet proto tcp from 10.0.1.2 to any \
> port {www, https} flags S/SA modulate state
> pass out on (egress) inet proto tcp from (egress) to any \
> port {www, https} flags S/SA modulate state
>
> ---IPsec
>
> =========
>
> pass in log on (egress) inet proto esp from any to (egress) port {isakmp,
> ipsec-nat-t}
> pass out log on (egress) inet proto udp from (egress) to any port {isakmp,
> ipsec-nat-t} keep state
>
> pass in log on enc0 inet proto ipencap from any to (egress) keep state
> (if-bound)
> pass out log on enc0 inet proto ipencap from (egress) to any keep state
> (if-bound)
>
> pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
> pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
>
> ---
>
> ====
>
> /etc/sysctl.conf has
>
> =====================
>
> net.inet.ip.forwarding=1
>
> I bypass all the possible SA flows from/to road warrior's LAN in
> /etc/ipsec.conf, and all traffic
> from/to road warrior's localhost services so DNS works as expected (DNS
> listens on road warrior's
> localhost and all queries were redirected by rdr-to rule in PF).
>
> $ /etc/ipsec.conf (client)
> flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass
>
> flow from 127.0.0.1/32 to 192.168.0.0/24 type bypass
> flow from 192.168.0.0/24 to 127.0.0.1/32 type bypass
> flow from 192.168.0.0/24 to 192.168.0.0/24 type bypass
>
> $ /etc/iked.conf (client)
> ikev2 "road-warrior" active esp \
> from 0.0.0.0/0 to 0.0.0.0/0 \
> local 1.2.3.4 peer 4.3.2.1 \
> srcid roadw.vpn dstid srv.vpn \
> ikelifetime 80m lifetime 100m bytes 256m \
> tag "IKED" \
> tap "enc0"
>
> rcctl -f start iked (client)
>
> =============================
>
> iked(OK)
>
> ipsecctl -f /etc/ipsec.conf (client)
>
> =====================================
>
> ipsecctl -sa (client)
>
> ======================
>
> FLOWS:
> flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn
> dstid FQDN/srv.vpn type
>
> use
> flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass
> flow esp in from 192.168.0.0/24 to 127.0.0.1 type bypass
> flow esp in from 127.0.0.1 to 192.168.0.0/24 type bypass
> flow esp in from 127.0.0.1 to 127.0.0.1 type bypass
>
> flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn
> dstid FQDN/srv.vpn type
>
> require
> flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass
> flow esp out from 192.168.0.0/24 to 127.0.0.1 type bypass
> flow esp out from 127.0.0.1 to 192.168.0.0/24 type bypass
> flow esp out from 127.0.0.1 to 127.0.0.1 type bypass
>
> SAD:
> esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0xe34780e9 auth hmac-sha2-512 enc
> aes-256
> esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0xe75f7182 auth hmac-sha2-512 enc
> aes-256
>
> /etc/iked.conf (server)
>
> ========================
>
> ikev2 "server" passive esp \
> from 0.0.0.0/0 to 10.0.1.0/24 \
> local 4.3.2.1 peer any \
> srcid srv.vpn \
> ikelifetime 140m lifetime 200m bytes 110m \
> tag "IKED" \
> tap "enc0"
