Not sure I quite understand this setup. Why redirect over port 9222 on the
client—can’t you just do “pass in … rdr-to 192.168.6.1 port ssh” on the server?
That said, I do believe you’ll need NAT on the server, because it’s now
masquerading its own 192.168.5.0/24 network as well as the
I can successful ping both sides of IPsec tunnel:
server$ ping -I 192.168.5.1 192.168.6.1
64 bytes from 192.168.6.1 icpm_seq...
client$ ping -I 192.158.6.1 192.168.5.1
64 bytes from 192.168.6.1 icpm_seq...\
tcpdump -en -i pflog0
shows nothing about blocked traffic while connecting by "external
I don’t know that outgoing traffic from lo is expected to go through the
tunnel. If you’re doing these tests with ping, does e.g.
server$ ping -I 192.168.6.1 192.168.5.1
yield the expected results? I’d expect ping responses, and tcpdump on the enc
interfaces on both sides to show both the
I have added to /etc/pf.conf:
$ipsec_if = "axen0"
$ipsec_remote_lan = "192.168.5.0/24"
pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan
but outgoing traffic from client's lo0 is blocked anyway:
rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>
Incoming connections to client's IP (192.168.6.1) is established and
seems redirected to lo0:port, but outgoing connection from client's lo0
to a server's IP (192.168.5.1) is blocked according to
# tcpdump -en -i pflog0 output:
...
rule 14/(match) block out on axen0: 127.0.0.1:port >
Nah, sorry, I misread your rules—on second look, I don’t see what’s gone wrong.
What about logging blocked packets
block log (all, to pflog0)
in pf.conf and dumping it
# tcpdump -en -i pflog0
while doing what you expect should work?
// Johan
> On May 13, 2018, at 02:15, Denis
Johan,
Do I have to remove these two rules or modify them by removing ipencap?
pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
keep state (if-bound)
pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
keep state (if-bound)
On 5/12/2018 10:11 AM, Johan
> On May 11, 2018, at 06:21, Denis wrote:
>
> Hello,
>
> I have working ikev2 tunnel between two virtual aliased subnets. But no
> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
> client machine and vice-versa. Both machines are using in production
Hello,
I have working ikev2 tunnel between two virtual aliased subnets. But no
traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
client machine and vice-versa. Both machines are using in production and
firewalled by PF.
# cat /etc/hostname.em1
###
9 matches
Mail list logo