Re: iked : pf.conf rule for outgoing traffic
* Stuart Henderson le [10-12-2018 18:19:41 +]: > On 2018-12-07, Thuban wrote: > > * Stuart Henderson le [06-12-2018 13:44:50 +]: > >> On 2018-12-06, Thuban wrote: > >> > * Thuban le [02-12-2018 19:16:09 +0100]: > >> >> Hi, > >> >> I need help to write a correct rule in pf.conf. > >> >> > >> >> I want : > >> >> > >> >> A -> B --> web > >> >> > >> >> The appearing IP of A is the B's one on the web. > >> >> > >> >> I managed to configure iked on A and B using default pubkeys according > >> >> to Stuart Henderson advices. > >> >> > >> >> iked.conf on A : > >> >> > >> >> ikev2 active ipcomp esp \ > >> >> from 192.168.100.0/16 to 0.0.0.0/0 \ > >> >> peer "xx.xx.xx.xx" \ > >> >> srcid "m...@moria.lan" \ > >> >> dstid "B-hostname.tld" \ > >> >> tag IKED > >> >> > >> >> iked.conf on B : > >> >> > >> >> ikev2 "warrior" passive esp \ > >> >> from 0.0.0.0/0 to 0.0.0.0/0 \ > >> >> local xx.xx.xx.xx peer any \ > >> >> srcid "B-hostname.tld" \ > >> >> tag IKED > >> >> > >> >> Auth works as expected : > >> >> > >> >> # iked -vvd > >> >> .. > >> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to > >> >> 192.168.100.122:4500 policy 'policy1' > >> >> .. > >> >> > >> >> > >> >> But I can't reach internet from A through B. > >> >> > >> >> Here is the pf.conf on B (at least a small part of it) > >> >> > >> >> pass out on egress \ > >> >> from any to any tagged IKED \ > >> >> nat-to (egress) > >> >> > >> >> > >> > > >> > I'm still stuck at the same point. > >> > Can someone give me an example of a working configuration natting ot > >> > Internet? > >> > >> I used this, > >> > >> pass in on enc0 inet from $some_net > >> pass out quick on egress inet received-on enc0 nat-to $some_address > >> > >> Also I don't remember what you've already said you checked, but > >> make sure you have sysctl net.inet.ip.forwarding=1. > >> > > > > Thank you. > > Yes, I do have ip.forwarding=1. > > > > I'm confused how to replace "$some_address". Isn't it "(egress)" ? > > > > Regards. > > > > > > It depends on what you want - I was just giving you the working example > you asked for :-) > > in my case I want to nat to a specific address, and not track the > address/es on any egress interfaces. > > Okay, got it, it works as expected. Thank you :)
Re: iked : pf.conf rule for outgoing traffic
On 2018-12-07, Thuban wrote: > * Stuart Henderson le [06-12-2018 13:44:50 +]: >> On 2018-12-06, Thuban wrote: >> > * Thuban le [02-12-2018 19:16:09 +0100]: >> >> Hi, >> >> I need help to write a correct rule in pf.conf. >> >> >> >> I want : >> >> >> >> A -> B --> web >> >> >> >> The appearing IP of A is the B's one on the web. >> >> >> >> I managed to configure iked on A and B using default pubkeys according >> >> to Stuart Henderson advices. >> >> >> >> iked.conf on A : >> >> >> >> ikev2 active ipcomp esp \ >> >> from 192.168.100.0/16 to 0.0.0.0/0 \ >> >> peer "xx.xx.xx.xx" \ >> >> srcid "m...@moria.lan" \ >> >> dstid "B-hostname.tld" \ >> >> tag IKED >> >> >> >> iked.conf on B : >> >> >> >> ikev2 "warrior" passive esp \ >> >> from 0.0.0.0/0 to 0.0.0.0/0 \ >> >> local xx.xx.xx.xx peer any \ >> >> srcid "B-hostname.tld" \ >> >> tag IKED >> >> >> >> Auth works as expected : >> >> >> >> # iked -vvd >> >> .. >> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to >> >> 192.168.100.122:4500 policy 'policy1' >> >> .. >> >> >> >> >> >> But I can't reach internet from A through B. >> >> >> >> Here is the pf.conf on B (at least a small part of it) >> >> >> >> pass out on egress \ >> >> from any to any tagged IKED \ >> >> nat-to (egress) >> >> >> >> >> > >> > I'm still stuck at the same point. >> > Can someone give me an example of a working configuration natting ot >> > Internet? >> >> I used this, >> >> pass in on enc0 inet from $some_net >> pass out quick on egress inet received-on enc0 nat-to $some_address >> >> Also I don't remember what you've already said you checked, but >> make sure you have sysctl net.inet.ip.forwarding=1. >> > > Thank you. > Yes, I do have ip.forwarding=1. > > I'm confused how to replace "$some_address". Isn't it "(egress)" ? > > Regards. > > It depends on what you want - I was just giving you the working example you asked for :-) in my case I want to nat to a specific address, and not track the address/es on any egress interfaces.
Re: iked : pf.conf rule for outgoing traffic
> I'm confused how to replace "$some_address". Isn't it "(egress)" ? "(egress)" or your_WAN_IP On Fri, 7 Dec 2018 10:00:07 +0100 Thuban wrote: > * Stuart Henderson le [06-12-2018 13:44:50 +]: > > On 2018-12-06, Thuban wrote: > > > * Thuban le [02-12-2018 19:16:09 +0100]: > > >> Hi, > > >> I need help to write a correct rule in pf.conf. > > >> > > >> I want : > > >> > > >> A -> B --> web > > >> > > >> The appearing IP of A is the B's one on the web. > > >> > > >> I managed to configure iked on A and B using default pubkeys according > > >> to Stuart Henderson advices. > > >> > > >> iked.conf on A : > > >> > > >> ikev2 active ipcomp esp \ > > >> from 192.168.100.0/16 to 0.0.0.0/0 \ > > >> peer "xx.xx.xx.xx" \ > > >> srcid "m...@moria.lan" \ > > >> dstid "B-hostname.tld" \ > > >> tag IKED > > >> > > >> iked.conf on B : > > >> > > >> ikev2 "warrior" passive esp \ > > >> from 0.0.0.0/0 to 0.0.0.0/0 \ > > >> local xx.xx.xx.xx peer any \ > > >> srcid "B-hostname.tld" \ > > >> tag IKED > > >> > > >> Auth works as expected : > > >> > > >> # iked -vvd > > >> .. > > >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to > > >> 192.168.100.122:4500 policy 'policy1' > > >> .. > > >> > > >> > > >> But I can't reach internet from A through B. > > >> > > >> Here is the pf.conf on B (at least a small part of it) > > >> > > >> pass out on egress \ > > >> from any to any tagged IKED \ > > >> nat-to (egress) > > >> > > >> > > > > > > I'm still stuck at the same point. > > > Can someone give me an example of a working configuration natting ot > > > Internet? > > > > I used this, > > > > pass in on enc0 inet from $some_net > > pass out quick on egress inet received-on enc0 nat-to $some_address > > > > Also I don't remember what you've already said you checked, but > > make sure you have sysctl net.inet.ip.forwarding=1. > > > > Thank you. > Yes, I do have ip.forwarding=1. > > I'm confused how to replace "$some_address". Isn't it "(egress)" ? > > Regards. > -- radek
Re: iked : pf.conf rule for outgoing traffic
* Stuart Henderson le [06-12-2018 13:44:50 +]: > On 2018-12-06, Thuban wrote: > > * Thuban le [02-12-2018 19:16:09 +0100]: > >> Hi, > >> I need help to write a correct rule in pf.conf. > >> > >> I want : > >> > >> A -> B --> web > >> > >> The appearing IP of A is the B's one on the web. > >> > >> I managed to configure iked on A and B using default pubkeys according > >> to Stuart Henderson advices. > >> > >> iked.conf on A : > >> > >>ikev2 active ipcomp esp \ > >>from 192.168.100.0/16 to 0.0.0.0/0 \ > >>peer "xx.xx.xx.xx" \ > >>srcid "m...@moria.lan" \ > >>dstid "B-hostname.tld" \ > >>tag IKED > >> > >> iked.conf on B : > >> > >>ikev2 "warrior" passive esp \ > >>from 0.0.0.0/0 to 0.0.0.0/0 \ > >>local xx.xx.xx.xx peer any \ > >>srcid "B-hostname.tld" \ > >>tag IKED > >> > >> Auth works as expected : > >> > >> # iked -vvd > >> .. > >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to > >> 192.168.100.122:4500 policy 'policy1' > >> .. > >> > >> > >> But I can't reach internet from A through B. > >> > >> Here is the pf.conf on B (at least a small part of it) > >> > >> pass out on egress \ > >> from any to any tagged IKED \ > >> nat-to (egress) > >> > >> > > > > I'm still stuck at the same point. > > Can someone give me an example of a working configuration natting ot > > Internet? > > I used this, > > pass in on enc0 inet from $some_net > pass out quick on egress inet received-on enc0 nat-to $some_address > > Also I don't remember what you've already said you checked, but > make sure you have sysctl net.inet.ip.forwarding=1. > Thank you. Yes, I do have ip.forwarding=1. I'm confused how to replace "$some_address". Isn't it "(egress)" ? Regards.
Re: iked : pf.conf rule for outgoing traffic
On 2018-12-06, Thuban wrote: > * Thuban le [02-12-2018 19:16:09 +0100]: >> Hi, >> I need help to write a correct rule in pf.conf. >> >> I want : >> >> A -> B --> web >> >> The appearing IP of A is the B's one on the web. >> >> I managed to configure iked on A and B using default pubkeys according >> to Stuart Henderson advices. >> >> iked.conf on A : >> >> ikev2 active ipcomp esp \ >> from 192.168.100.0/16 to 0.0.0.0/0 \ >> peer "xx.xx.xx.xx" \ >> srcid "m...@moria.lan" \ >> dstid "B-hostname.tld" \ >> tag IKED >> >> iked.conf on B : >> >> ikev2 "warrior" passive esp \ >> from 0.0.0.0/0 to 0.0.0.0/0 \ >> local xx.xx.xx.xx peer any \ >> srcid "B-hostname.tld" \ >> tag IKED >> >> Auth works as expected : >> >> # iked -vvd >> .. >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 >> policy 'policy1' >> .. >> >> >> But I can't reach internet from A through B. >> >> Here is the pf.conf on B (at least a small part of it) >> >> pass out on egress \ >> from any to any tagged IKED \ >> nat-to (egress) >> >> > > I'm still stuck at the same point. > Can someone give me an example of a working configuration natting ot > Internet? I used this, pass in on enc0 inet from $some_net pass out quick on egress inet received-on enc0 nat-to $some_address Also I don't remember what you've already said you checked, but make sure you have sysctl net.inet.ip.forwarding=1.
Re: iked : pf.conf rule for outgoing traffic
* Thuban le [02-12-2018 19:16:09 +0100]: > Hi, > I need help to write a correct rule in pf.conf. > > I want : > > A -> B --> web > > The appearing IP of A is the B's one on the web. > > I managed to configure iked on A and B using default pubkeys according > to Stuart Henderson advices. > > iked.conf on A : > > ikev2 active ipcomp esp \ > from 192.168.100.0/16 to 0.0.0.0/0 \ > peer "xx.xx.xx.xx" \ > srcid "m...@moria.lan" \ > dstid "B-hostname.tld" \ > tag IKED > > iked.conf on B : > > ikev2 "warrior" passive esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \ > local xx.xx.xx.xx peer any \ > srcid "B-hostname.tld" \ > tag IKED > > Auth works as expected : > > # iked -vvd > .. > sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 > policy 'policy1' > .. > > > But I can't reach internet from A through B. > > Here is the pf.conf on B (at least a small part of it) > > pass out on egress \ > from any to any tagged IKED \ > nat-to (egress) > > I'm still stuck at the same point. Can someone give me an example of a working configuration natting ot Internet? Regards.
iked : pf.conf rule for outgoing traffic
Hi, I need help to write a correct rule in pf.conf. I want : A -> B --> web The appearing IP of A is the B's one on the web. I managed to configure iked on A and B using default pubkeys according to Stuart Henderson advices. iked.conf on A : ikev2 active ipcomp esp \ from 192.168.100.0/16 to 0.0.0.0/0 \ peer "xx.xx.xx.xx" \ srcid "m...@moria.lan" \ dstid "B-hostname.tld" \ tag IKED iked.conf on B : ikev2 "warrior" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local xx.xx.xx.xx peer any \ srcid "B-hostname.tld" \ tag IKED Auth works as expected : # iked -vvd ... sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1' ... But I can't reach internet from A through B. Here is the pf.conf on B (at least a small part of it) pass out on egress \ from any to any tagged IKED \ nat-to (egress) I guess the issue is in my pf.conf. What do you think ? Any advice? Regards. -- thuban