2 avril 2017 11:49 "Comète" <com...@daknet.org> a écrit: >> On 03/28, Comète wrote: > > Hi, > > I'm trying to build an IPSEC encrypted tunnel that works as a bridge. For > this, I use isakmpd and etherip, vether, bridge interfaces. On each VPN server > (Host A and B), I've got PF running on the external interface (em2). Both > hosts run OpenBSD 6.0 stable amd64. > Host A is my main server and host B is the > client. > > Now the strange part: > > - If PF is running on each host (A and B), > UDP queries from B to A network don't work (UDP only, TCP is ok. But I can see > UDP packets with tcpdump going from B to A and coming back but they don't go > out from the interface) > > - I disable PF on Host B only with "rcctl disable pf > && reboot", all is working after reboot, all queries (dns, ntp...) are well > sent from B to A through the VPN. Now, I enable PF again without rebooting > with "pfctl -e && pfctl -f /etc/pf.conf" and it's still working. Then I start > "rcctl enable pf" and reboot, and it doesn't work anymore for UDP queries... > So to resume, if PF is started automatically at boot on host B (rcctl enable > pf) then UDP don't pass but if I start it manually (pfctl -e && pfctl -f > /etc/pf.conf), it works. > > I've tried tcpdump -nettti pflog0 during DNS/NTP > queries but I don't see anything blocked. As I said, if I try tcpdump -nettti > em0 I can even see the answer from the DNS server coming back but dig doesn't > get it. > > I just don't understand why my UDP packets don't pass, so if you have > a idea, you're welcome ;) > > thanks. > > This my setup on Host B (Host A is > similar) > > ipsec.conf: > ----------- > > ike active esp proto etherip from $local_gw > to $remote_gw \ > main auth "hmac-sha1" enc "aes-128" group modp2048 > lifetime 1800 \ > quick enc "aes-128-gcm" group modp2048 lifetime 1200 \ > srcid $local_gw > > ipsecctl -sa > ----------- > ipsecctl -sa > FLOWS: > flow esp in > proto etherip from 10.65.12.10 to 10.65.13.10 peer 10.65.12.10 srcid > 10.65.13.10/32 dstid 10.65.12.10/32 type use > flow esp out proto etherip from > 10.65.13.10 to 10.65.12.10 peer 10.65.12.10 srcid 10.65.13.10/32 dstid > 10.65.12.10/32 type require > > SAD: > esp tunnel from 10.65.13.10 to 10.65.12.10 > spi 0xd5acc570 enc aes-128-gcm > esp tunnel from 10.65.12.10 to 10.65.13.10 spi > 0xe19efd9f enc aes-128-gcm > > pf.conf: > -------- > ext_if = "em2" > int_if = > "internal" > > match in all scrub (no-df random-id max-mss 1200) > antispoof for { > $ext_if, $int_if } inet > set skip on { lo, enc, $int_if } > set loginterface > $ext_if > match out on $ext_if from any to any nat-to ($ext_if) > block log all > pass quick on em0 > > # VPN > pass in on $ext_if proto udp from any to $ext_if port > { isakmp, ipsec-nat-t } > pass out on $ext_if proto udp from $ext_if to any port > { isakmp, ipsec-nat-t } > pass in on $ext_if proto esp from any to $ext_if > pass > out on $ext_if proto esp from $ext_if to any > > /etc/hostname.bridge0: > ---------------------- > link2 > add etherip0 > add vether0 > add em0 > group "internal" > up > > /etc/hostname.etherip0 > ---------------------- > tunnel 10.65.13.10 > 10.65.12.10 > group internal > up > > /etc/hostname.vether0 > --------------------- > inet 10.14.254.35 255.255.0.0 NONE > description "Interconnexion" > group > "internal" > up > > /etc/hostname.em0 > ------------------ > up > > /etc/hostname.em2 > ------------------ > inet 10.65.13.10 255.255.255.0 NONE > description "Evil > Network" > group "external" > up > !route add -inet 10.65.12.0/24 10.65.13.1 > /etc/sysctl.conf > ---------------- > net.inet.ip.forwarding=1 > net.inet.etherip.allow=1 > > 28 mars 2017 16:40 "Scott Bonds" <sc...@ggr.com> a écrit: > >> Interesting. I may have a similar problem and was planning to post about it soon...in my case I've >> been playing with rdomains, using PF to NAT >> between them, and ikedv2. I've found that when I use ikedv2 to layer IPSEC on top of my NATing >> traffic between rdomains, TCP passes fine, UDP does not, though I can see requests and replies >> moving across enc0 (DNS requests that show the answer in the tcpdump output). So, host -T >> google.com 8.8.8.8 (TCP DNS lookup) works but host google.com 8.8.8.8 (UDP DNS lookup) does not. > > Hi, > > up ! :) > > Any idea about this problem ? Is it a bug ? Or maybe a wrong setup ? > > Thanks guys > > Morgan
Hi, i've just noticed that pf states are different when PF is enabled at boot or not. So when it is enabled at boot: all udp 10.65.13.10:56371 (10.65.13.10:4500) -> 10.65.12.10:4500 MULTIPLE:MULTIPLE (then in this case UDP requests don't work) When PF is enabled manually (pfctl -e && pfctl -f /etc/pf.conf): all esp 10.65.13.10 -> 10.65.12.10 MULTIPLE:MULTIPLE (in this case UDP works) Any idea ? does this help ? Thanks