Re: ikev2 All incoming/outgoing traffic over IPsec?

Not sure I quite understand this setup. Why redirect over port 9222 on the client—can’t you just do “pass in … rdr-to 192.168.6.1 port ssh” on the server? That said, I do believe you’ll need NAT on the server, because it’s now masquerading its own 192.168.5.0/24 network as well as the

Re: ikev2 All incoming/outgoing traffic over IPsec?

I can successful ping both sides of IPsec tunnel: server$ ping -I 192.168.5.1 192.168.6.1 64 bytes from 192.168.6.1 icpm_seq... client$ ping -I 192.158.6.1 192.168.5.1 64 bytes from 192.168.6.1 icpm_seq...\ tcpdump -en -i pflog0 shows nothing about blocked traffic while connecting by "external

Re: ikev2 All incoming/outgoing traffic over IPsec?

I don’t know that outgoing traffic from lo is expected to go through the tunnel. If you’re doing these tests with ping, does e.g. server$ ping -I 192.168.6.1 192.168.5.1 yield the expected results? I’d expect ping responses, and tcpdump on the enc interfaces on both sides to show both the

Re: ikev2 All incoming/outgoing traffic over IPsec?

I have added to /etc/pf.conf: $ipsec_if = "axen0" $ipsec_remote_lan = "192.168.5.0/24" pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan but outgoing traffic from client's lo0 is blocked anyway: rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S >

Re: ikev2 All incoming/outgoing traffic over IPsec?

Incoming connections to client's IP (192.168.6.1) is established and seems redirected to lo0:port, but outgoing connection from client's lo0 to a server's IP (192.168.5.1) is blocked according to # tcpdump -en -i pflog0 output: ... rule 14/(match) block out on axen0: 127.0.0.1:port >

Re: ikev2 All incoming/outgoing traffic over IPsec?

Nah, sorry, I misread your rules—on second look, I don’t see what’s gone wrong. What about logging blocked packets block log (all, to pflog0) in pf.conf and dumping it # tcpdump -en -i pflog0 while doing what you expect should work? // Johan > On May 13, 2018, at 02:15, Denis

Re: ikev2 All incoming/outgoing traffic over IPsec?

Johan, Do I have to remove these two rules or modify them by removing ipencap? pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \ keep state (if-bound) pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \ keep state (if-bound) On 5/12/2018 10:11 AM, Johan

Re: ikev2 All incoming/outgoing traffic over IPsec?

> On May 11, 2018, at 06:21, Denis wrote: > > Hello, > > I have working ikev2 tunnel between two virtual aliased subnets. But no > traffic over IPsec tunnel from $ext_if on server machine to $ext_if on > client machine and vice-versa. Both machines are using in production

ikev2 All incoming/outgoing traffic over IPsec?

Hello, I have working ikev2 tunnel between two virtual aliased subnets. But no traffic over IPsec tunnel from $ext_if on server machine to $ext_if on client machine and vice-versa. Both machines are using in production and firewalled by PF. # cat /etc/hostname.em1 ###