Hi all, I am trying to configure an ipsec tunnel (host-to-host) between two hosts that go through an openbsd firewall. Tunnel is established, but when I try to, for example, connect via ssh from one host to the other, pf blocks traffic:
Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) To do some tests, I have configured the following rules: pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state (if-bound) pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state (if-bound) Any idea?
