Re: VPN IKEv2 Traffic Flows Only One Direction

[Stuart Henderson]

On 2020-11-16, Ian Timothy  wrote:
> int_if = "em0"
>
> ext_if = "em1"
> ext_net = "23.X.X.128/29"
>
> gateway_ip_ext = "{ 23.X.X.129 }"
> gateway_ip_int = "{ 10.0.0.1 }"
>
> set skip on {lo, enc0}
>
> block return# block stateless traffic
> pass# establish keep-state
>
> pass out on $ext_if from $int_if:network to any nat-to ($ext_if:0)

...also you only nat for em0:network which doesn't cover your vpn range
>
>
> # --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} ---
>
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
> net.inet.esp.udpencap=1
>
>
>
>
>
>

Re: VPN IKEv2 Traffic Flows Only One Direction

[Stuart Henderson]

On 2020-11-16, Ian Timothy  wrote:
> I’ve been a long time user of OpenBSD, but this is the first time I’m trying 
> to setup a VPN. I’m not sure what I’m doing wrong, or what should be the next 
> step to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find.
>
> I need to end up with a configuration that will support several simultaneous 
> roaming users connecting from anywhere they happen to be.
>
> Client:
> macOS 10.15.7
> Using builtin VPN client
>
> Server:
> OpenBSD 6.6

6.8 is recommended, iked has seen a lot of improvements since 6.6.

> em1 = 23.X.X.128/29
> em0 = 10.0.0.0/16
> enc0 = 10.1.0.0.16

enc0 should not be configured with an address

> From the client I can connect to 10.0.0.1 but anything outside that network 
> traffic slows but does not return:

> # --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} ---
>
> net.inet.ipcomp.enable=1
> net.inet.esp.enable=1
> net.inet.esp.udpencap=1

net.inet.ip.forwarding?

VPN IKEv2 Traffic Flows Only One Direction

[Ian Timothy]

I’ve been a long time user of OpenBSD, but this is the first time I’m trying to 
setup a VPN. I’m not sure what I’m doing wrong, or what should be the next step 
to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find.

I need to end up with a configuration that will support several simultaneous 
roaming users connecting from anywhere they happen to be.

Client:
macOS 10.15.7
Using builtin VPN client

Server:
OpenBSD 6.6
em1 = 23.X.X.128/29
em0 = 10.0.0.0/16
enc0 = 10.1.0.0.16

>From the client I can connect to 10.0.0.1 but anything outside that network 
>traffic slows but does not return:


# --- client: curl -v ipinfo.io/ip ---

*   Trying 216.239.36.21:80...
[ never connects ]




# --- server: iked -dv ---

ikev2 "vpn" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.30.51.129 
peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 
auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc 
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.ipaperbox.com 
lifetime 10800 bytes 536870912 psk 0x70617373776f7264 config address 10.1.0.0 
config netmask 255.255.0.0 config name-server 10.0.0.1
[--- CLIENT CONNECTS ---]
spi=0x69f90afcc96f7600: recv IKE_SA_INIT req 0 peer 166.X.X.161:62140 local 
23.X.X.129:500, 604 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_SA_INIT res 0 peer 166.X.X.161:62140 local 
23.X.X.129:500, 432 bytes
spi=0x69f90afcc96f7600: recv IKE_AUTH req 1 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 544 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_AUTH res 1 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 272 bytes, NAT-T
spi=0x69f90afcc96f7600: sa_state: VALID -> ESTABLISHED from 166.X.X.161:54501 
to 23.X.X.129:4500 policy 'vpn'
[--- CLIENT DICONNECT ---]
spi=0x69f90afcc96f7600: recv INFORMATIONAL req 2 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 80 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send INFORMATIONAL res 2 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 80 bytes, NAT-T
spi=0x69f90afcc96f7600: ikev2_ikesa_recv_delete: received delete
spi=0x69f90afcc96f7600: sa_state: ESTABLISHED -> CLOSED from 166.X.X.161:54501 
to 23.X.X.129:4500 policy 'vpn'



# --- server: tcpdump -i em1 -n host ipinfo.io and port 80 ---

tcpdump: listening on em1, link-type EN10MB
03:37:34.210823 10.1.114.47.59349 > 216.239.36.21.80: SWE 
3159801057:3159801057(0) win 65535  (DF)
03:37:35.228721 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:36.242039 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:37.254607 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:38.267900 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:39.330256 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:41.345983 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:45.424183 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:53.510541 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:38:10.364579 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)



# --- server: tcpdump -i enc0 -n host ipinfo.io and port 80 ---

tcpdump: listening on enc0, link-type ENC
[ no output ]



# --- server: iked.conf ---

# TODO: Change from psk authtication to user-based later.

ikev2 "vpn" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local egress peer any \
srcid vpn..com \
psk "password" \
config address 10.1.0.0/16 \
config netmask 255.255.0.0 \
config name-server 10.0.0.1 \
tag "IKED” 



#  server: pf.conf ---

doas cat pf.conf.vpn 
int_if = "em0"

ext_if = "em1"
ext_net = "23.X.X.128/29"

gateway_ip_ext = "{ 23.X.X.129 }"
gateway_ip_int = "{ 10.0.0.1 }"

set skip on {lo, enc0}

block return# block stateless traffic
pass# establish keep-state

pass out on $ext_if from $int_if:network to any nat-to ($ext_if:0)



# --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} ---

net.inet.ipcomp.enable=1
net.inet.esp.enable=1
net.inet.esp.udpencap=1