VPN IKEv2 Traffic Flows Only One Direction

Ian Timothy Sun, 15 Nov 2020 18:58:53 -0800

I’ve been a long time user of OpenBSD, but this is the first time I’m trying to 
setup a VPN. I’m not sure what I’m doing wrong, or what should be the next step 
to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find.


I need to end up with a configuration that will support several simultaneous 
roaming users connecting from anywhere they happen to be.

Client:
macOS 10.15.7
Using builtin VPN client

Server:
OpenBSD 6.6
em1 = 23.X.X.128/29
em0 = 10.0.0.0/16
enc0 = 10.1.0.0.16

>From the client I can connect to 10.0.0.1 but anything outside that network 
>traffic slows but does not return:


# --- client: curl -v ipinfo.io/ip ---

*   Trying 216.239.36.21:80...
[ never connects ]




# --- server: iked -dv ---

ikev2 "vpn" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.30.51.129 
peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 
auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc 
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.ipaperbox.com 
lifetime 10800 bytes 536870912 psk 0x70617373776f7264 config address 10.1.0.0 
config netmask 255.255.0.0 config name-server 10.0.0.1
[--- CLIENT CONNECTS ---]
spi=0x69f90afcc96f7600: recv IKE_SA_INIT req 0 peer 166.X.X.161:62140 local 
23.X.X.129:500, 604 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_SA_INIT res 0 peer 166.X.X.161:62140 local 
23.X.X.129:500, 432 bytes
spi=0x69f90afcc96f7600: recv IKE_AUTH req 1 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 544 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_AUTH res 1 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 272 bytes, NAT-T
spi=0x69f90afcc96f7600: sa_state: VALID -> ESTABLISHED from 166.X.X.161:54501 
to 23.X.X.129:4500 policy 'vpn'
[--- CLIENT DICONNECT ---]
spi=0x69f90afcc96f7600: recv INFORMATIONAL req 2 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 80 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send INFORMATIONAL res 2 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 80 bytes, NAT-T
spi=0x69f90afcc96f7600: ikev2_ikesa_recv_delete: received delete
spi=0x69f90afcc96f7600: sa_state: ESTABLISHED -> CLOSED from 166.X.X.161:54501 
to 23.X.X.129:4500 policy 'vpn'



# --- server: tcpdump -i em1 -n host ipinfo.io and port 80 ---

tcpdump: listening on em1, link-type EN10MB
03:37:34.210823 10.1.114.47.59349 > 216.239.36.21.80: SWE 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408271831 0,sackOK,eol> (DF)
03:37:35.228721 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408272831 0,sackOK,eol> (DF)
03:37:36.242039 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408273831 0,sackOK,eol> (DF)
03:37:37.254607 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408274831 0,sackOK,eol> (DF)
03:37:38.267900 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408275831 0,sackOK,eol> (DF)
03:37:39.330256 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408276831 0,sackOK,eol> (DF)
03:37:41.345983 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408278831 0,sackOK,eol> (DF)
03:37:45.424183 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408282832 0,sackOK,eol> (DF)
03:37:53.510541 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408290832 0,sackOK,eol> (DF)
03:38:10.364579 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 
408306832 0,sackOK,eol> (DF)



# --- server: tcpdump -i enc0 -n host ipinfo.io and port 80 ---

tcpdump: listening on enc0, link-type ENC
[ no output ]



# --- server: iked.conf ---

# TODO: Change from psk authtication to user-based later.

ikev2 "vpn" passive esp \
    from 0.0.0.0/0 to 0.0.0.0/0 \
    local egress peer any \
    srcid vpn.<server>.com \
    psk "password" \
    config address 10.1.0.0/16 \
    config netmask 255.255.0.0 \
    config name-server 10.0.0.1 \
    tag "IKED” 



# ---- server: pf.conf ---

doas cat pf.conf.vpn 
int_if = "em0"

ext_if = "em1"
ext_net = "23.X.X.128/29"

gateway_ip_ext = "{ 23.X.X.129 }"
gateway_ip_int = "{ 10.0.0.1 }"

set skip on {lo, enc0}

block return    # block stateless traffic
pass        # establish keep-state

pass out on $ext_if from $int_if:network to any nat-to ($ext_if:0)



# --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} ---

net.inet.ipcomp.enable=1
net.inet.esp.enable=1
net.inet.esp.udpencap=1

VPN IKEv2 Traffic Flows Only One Direction

Reply via email to