Em 2021-09-24 20:03, Peter Jeremy escreveu:
I'm trying to setup an IPSEC transport connection between my home and
one of my VPS hosts. I can successfully setup an IPv6 connection from
an internal host to the VPS but can't setup an IPv4 connection from my
firewall to that host. I'm using openiked-portable in esp transport
mode using psk (at least for testing).
My configuration (much simplified) looks like:
Host ---- firewall ---- (internet) ---- VPS
'Host' has a public IPv6 address and I can successfully setup an IPSEC
transport connection between it and 'VPS'.
IPSEC doesn't work through NAT so I have setup an IPv4 IPSEC transport
layer from firewall to VPS. The iked processes can exchange isakmp
packets and appear to setup the connection. Running tcpdump on both
ends, I see:
* "ping VPS" from firewall sends ICMP packets in the clear. They
arrive
at VPS but there's no response.
* "ping firewall" from VPS sends IPSEC esp packets which arrive at
firewall but there's no response.
Comparing the pf configurations between firewall and VPS, the main
difference is that the firewall is configured to NAT internal hosts
onto the Internet and RDR some inbound ports to internal hosts. I
am logging blocked packets so I'm confident that pf is not blocking
the esp packets.
I've tried enabling net.inet.ipsec.debug and that generates occasional
message like "kernel: key_acqdone: ACQ 19 is not found." but that
hasn't helped me solve the problem.
I don't understand:
a) Why outgoing ICMP packets from firewall to VPS aren't going through
the IPSEC transport.
b) Why firewall is ignoring incoming IPSEC esp packets.
Is anyone able to help?
Hello!
I have a client with similar conf
Fortigate Local(IPSec) <-> FreeBSD with PF <-> Internet <-> Foritgate
Remote(IPSec)
In pf.conf something like this:
FORTIGATE_LOCAL=10.0.0.11
EXT_IP=192.168.0.10
# normalization
scrub in all fragment reassemble
# NAT output
nat on $IF_EXT from $FORTIGATE_LOCAL to any -> $EXT_IP
# NAT IPSEC
nat on $IF_EXT proto udp from $FORTIGATE_LOCAL port { 500, 4500 } to any
-> $EXT_IP static-port
nat on $IF_EXT proto esp from $FORTIGATE_LOCAL to any -> $EXT_IP
static-port
# rdr admin-fortigate
rdr pass on $IF_EXT from any to $EXT_IP -> $FORTIGATE_LOCAL
# internet output
pass out on $IF_EXT from $EXT_IP to any
I hope it's useful!
