Not sure I quite understand this setup. Why redirect over port 9222 on the
client—can’t you just do “pass in … rdr-to 192.168.6.1 port ssh” on the server?
That said, I do believe you’ll need NAT on the server, because it’s now
masquerading its own 192.168.5.0/24 network as well as the 192.168.6.0/24
network of the client.
// Johan
> On May 21, 2018, at 05:11, Denis <den...@mindall.org> wrote:
>
> I can successful ping both sides of IPsec tunnel:
>
> server$ ping -I 192.168.5.1 192.168.6.1
> 64 bytes from 192.168.6.1 icpm_seq...
>
> client$ ping -I 192.158.6.1 192.168.5.1
> 64 bytes from 192.168.6.1 icpm_seq...\
>
> tcpdump -en -i pflog0
> shows nothing about blocked traffic while connecting by "external machine"
>
> I tried to do external connection to server's public IP (a.b.c.d) and
> redirect this connection by PF trough IPsec tunnel to client's IPsec IP:
> 192.168.6.1. Then client's PF rules redirect connection from server's
> IPsec IP: 192.168.5.1 to a client's 127.0.0.1 and must reply to external
> machine from a.b.c.d
>
> My test conditions:
>
> external machine
> #ssh -p 9922 to a.b.c.d
> |
> |
> server's public IP is a.b.c.d
> PF rule:
> pass in quick on a.b.c.d inet proto tcp from any to (a.b.c.d) \
> port 9922 rdr-to 192.168.6.1 queue (ssh_bulk, ssh_login)
> ||
> ||
> IPsec tunnel (working):
> srv IP: 192.168.5.1
> clnt IP: 192.168.6.1
> ||
> ||
> client's PF rule:
> pass in quick on enc0 inet proto tcp from any to any port 9922 rdr-to
> lo0 port 22 modulate state
>
> Incoming packets from "external machine" with SSH client seems to be
> redirected to client's 127.0.0.1 port 22, but client not replied to a
> "externa machine".
>
> It seems I have to implement NAT rule for IPsec or what?
>
> Please advise.
>
> Denis
>
>
> On 5/15/2018 5:12 AM, Johan Hattne wrote:
>> I don’t know that outgoing traffic from lo is expected to go through the
>> tunnel. If you’re doing these tests with ping, does e.g.
>>
>> server$ ping -I 192.168.6.1 192.168.5.1
>>
>> yield the expected results? I’d expect ping responses, and tcpdump on the
>> enc interfaces on both sides to show both the request and the response.
>>
>> // Johan
>>
>>> On May 14, 2018, at 07:34, Denis <den...@mindall.org> wrote:
>>>
>>> I have added to /etc/pf.conf:
>>>
>>> $ipsec_if = "axen0"
>>> $ipsec_remote_lan = "192.168.5.0/24"
>>>
>>> pass out quick on $ipsec_if proto tcp from lo0 to $ipsec_remote_lan
>>>
>>> but outgoing traffic from client's lo0 is blocked anyway:
>>>
>>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>>>> 776927979:776927979(0) ack 896868769 win 16384 <mss...
>>>
>>> Denis
>>>
>>> On 5/14/2018 2:17 PM, Denis wrote:
>>>> Incoming connections to client's IP (192.168.6.1) is established and
>>>> seems redirected to lo0:port, but outgoing connection from client's lo0
>>>> to a server's IP (192.168.5.1) is blocked according to
>>>>
>>>> # tcpdump -en -i pflog0 output:
>>>>
>>>> ...
>>>> rule 14/(match) block out on axen0: 127.0.0.1:port > 192.168.5.1:port: S
>>>> 776927979:776927979(0) ack 896868769 win 16384 <mss...
>>>> ...
>>>>
>>>> Do I need to add a NAT rule to have reply passed to server's source IP
>>>> (192.168.5.1) or what?
>>>>
>>>> Thanks.
>>>>
>>>> Denis
>>>>
>>>>
>>>> On 5/13/2018 7:12 PM, Johan Hattne wrote:
>>>>> Nah, sorry, I misread your rules—on second look, I don’t see what’s gone
>>>>> wrong. What about logging blocked packets
>>>>>
>>>>> block log (all, to pflog0)
>>>>>
>>>>> in pf.conf and dumping it
>>>>>
>>>>> # tcpdump -en -i pflog0
>>>>>
>>>>> while doing what you expect should work?
>>>>>
>>>>> // Johan
>>>>>
>>>>>> On May 13, 2018, at 02:15, Denis <den...@mindall.org> wrote:
>>>>>>
>>>>>> Johan,
>>>>>>
>>>>>> Do I have to remove these two rules or modify them by removing ipencap?
>>>>>>
>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>>>> keep state (if-bound)
>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>>>> keep state (if-bound)
>>>>>>
>>>>>> On 5/12/2018 10:11 AM, Johan Hattne wrote:
>>>>>>>
>>>>>>>> On May 11, 2018, at 06:21, Denis <den...@mindall.org> wrote:
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have working ikev2 tunnel between two virtual aliased subnets. But no
>>>>>>>> traffic over IPsec tunnel from $ext_if on server machine to $ext_if on
>>>>>>>> client machine and vice-versa. Both machines are using in production
>>>>>>>> and
>>>>>>>> firewalled by PF.
>>>>>>>>
>>>>>>>> ------------------------
>>>>>>>> # cat /etc/hostname.em1
>>>>>>>> ### server $ext_if
>>>>>>>> dhcp
>>>>>>>> alias 192.168.5.1
>>>>>>>> 255.255.255.0
>>>>>>>> ------------------------
>>>>>>>> |
>>>>>>>> | IPsec
>>>>>>>> |
>>>>>>>> ------------------------
>>>>>>>> # cat /etc/hostname.axen0
>>>>>>>> ### client $ext_if
>>>>>>>> dhcp
>>>>>>>> alias 192.168.6.1
>>>>>>>> 255.255.255.0
>>>>>>>> ------------------------
>>>>>>>>
>>>>>>>> I can ping each 'end' of IPsec virtual subnets from both side of tunnel
>>>>>>>> (after IP assigned to both gateways by ISP's dhcp), but no traffic
>>>>>>>> though.
>>>>>>>>
>>>>>>>> server# ping 192.168.6.1
>>>>>>>> 64 bytes from 192.168.6.1: icmp_seq=0 ttl=255 time 1.064 ms
>>>>>>>> ...
>>>>>>>> clielnt# ping 192.168.5.1
>>>>>>>> 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time 0.785 ms
>>>>>>>> ...
>>>>>>>>
>>>>>>>> The final goal is: All incoming traffic on server's $ext_if = "em1" for
>>>>>>>> selected ports 25, 443, 465, 993 etc. must be redirected from aliased
>>>>>>>> server's IP:192.168.5.1 though IPsec tunnel to appropriate services on
>>>>>>>> aliased client's IP:192.168.6.1. So client can reply to incoming
>>>>>>>> connections to remote server's via IPsec lan.
>>>>>>>>
>>>>>>>> No routing is needed between server's / client's 'real' private LANs.
>>>>>>>> Because of that I've decided to use aliased virtual lans for IPsec
>>>>>>>> tunneling. But I'm not sure about correctness of this.
>>>>>>>>
>>>>>>>> server# cat /etc/iked.conf
>>>>>>>> gw_ip = "em1"
>>>>>>>> local_lan = "192.168.5.0/24" # server side virtual subnet alias to em1
>>>>>>>> \
>>>>>>>> which obtain an address from dhcp
>>>>>>>> remote_lan = "192.168.6.0/24" # client virtual subnet alias to axen0 \
>>>>>>>> which obtain an address from dhcp too.
>>>>>>>> mode = "passive"
>>>>>>>>
>>>>>>>> ikev2 "pki-srv" $mode ipcomp esp \
>>>>>>>> from $local_lan to $remote_lan \
>>>>>>>> local $gw_ip peer any \
>>>>>>>> srcid srv-pubkey dstid clnt-pubkey \
>>>>>>>> tag "srv.tld.ipsec"
>>>>>>>> tap "enc0"
>>>>>>>>
>>>>>>>> server# cat /etc/pf.conf
>>>>>>>> ...
>>>>>>>> ext_if = em1
>>>>>>>> ipsec_if = em1
>>>>>>>> ipsec_enc_if = enc0
>>>>>>>> ipsec_local_lan = "192.168.5.0/24"
>>>>>>>> ipsec_remote_lan = "192.168.6.0/24"
>>>>>>>> ...
>>>>>>>> queue rootq on $ext_if bandwidth 100M max 100M
>>>>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>>>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>>>>>>> queue bulk parent rootq bandwidth 10M default
>>>>>>>> ...
>>>>>>>> block on $ext_if all
>>>>>>>> block on $ipsec_enc_if all
>>>>>>>> ...
>>>>>>>>
>>>>>>>> # --- IPsec
>>>>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>>>>>>> {isakmp, ipsec-nat-t}
>>>>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>>>>>>> {isakmp, ipsec-nat-t} keep state
>>>>>>>>
>>>>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>>>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>>>>>>> keep state set queue ipsec
>>>>>>>>
>>>>>>>> pass out quick on $ipsec_if tagged srv.tld.ipsec set queue ipsec_users
>>>>>>>>
>>>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>>>>>> keep state (if-bound)
>>>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>>>>>> keep state (if-bound)
>>>>>>>>
>>>>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>>>>>>> $ipsec_local_lan keep state (if-bound)
>>>>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>>>>>>> $ipsec_remote_lan keep state (if-bound)
>>>>>>>> ...
>>>>>>>>
>>>>>>>>
>>>>>>>> client# cat /etc/iked.conf
>>>>>>>> gw_ip = "axen0"
>>>>>>>> local_lan = "192.168.6.0/24" # clinet virtual subnet alias to axen0 \
>>>>>>>> which obtain an address from dhcp
>>>>>>>> remote_lan = "192.168.5.0/24" #server side virtual subnet alias to em0
>>>>>>>> \
>>>>>>>> which obtain an address from dhcp
>>>>>>>> srv_ip = "a.b.c.d" #server's IP each time is the same from ISP's dhcp
>>>>>>>> mode = "active"
>>>>>>>>
>>>>>>>> ikev2 "pki-clnt" $mode ipcomp esp \
>>>>>>>> from $local_lan to $remote_lan \
>>>>>>>> local $gw_ip to $srv_ip \
>>>>>>>> crcid clnt-pubkey dstid srv-pubkey \
>>>>>>>> tag "clnt.tld.ipsec"
>>>>>>>> tap "em0"
>>>>>>>>
>>>>>>>> client# cat /etc/pf.conf
>>>>>>>> ...
>>>>>>>> ext_if = axen0
>>>>>>>> ipsec_if = axen0
>>>>>>>> ipsec_enc_if = enc0
>>>>>>>> ipsec_local_lan = "192.168.6.0/24"
>>>>>>>> ipsec_remote_lan = "192.168.5.0/24"
>>>>>>>> ...
>>>>>>>> queue rootq on $ext_if bandwidth 100M max 100M
>>>>>>>> queue ipsec parent rootq bandwidth 90M min 70M max 100M
>>>>>>>> queue ipsec_users parent rootq bandwidth 50M min 30M max 60M
>>>>>>>> queue bulk parent rootq bandwidth 10M default
>>>>>>>> ...
>>>>>>>> block on $ext_if all
>>>>>>>> block on $ipsec_enc_if all
>>>>>>>> ...
>>>>>>>>
>>>>>>>> # --- IPsec
>>>>>>>> pass in quick on $ipsec_if proto udp from any to ($ipsec_if) port \
>>>>>>>> {isakmp, ipsec-nat-t}
>>>>>>>> pass out quick on $ipsec_if proto udp from ($ipsec_if) to any port \
>>>>>>>> {isakmp, ipsec-nat-t} keep state
>>>>>>>>
>>>>>>>> pass in quick on $ipsec_if proto esp from any to ($ipsec_if)
>>>>>>>> pass out quick on $ipsec_if proto exp from ($ipsec_if) to any \
>>>>>>>> keep state set queue ipsec
>>>>>>>>
>>>>>>>> pass out quick on $ipsec_if tagged clnt.tld.ipsec set queue ipsec_users
>>>>>>>>
>>>>>>>> pass in quick on $ipsec_enc_if proto ipencap from any to ($ipsec_if) \
>>>>>>>> keep state (if-bound)
>>>>>>>> pass out quick on $ipsec_enc_if proto ipencap from ($ipsec_if) to any \
>>>>>>>> keep state (if-bound)
>>>>>>>>
>>>>>>>> pass in quick on $ipsec_enc_if from $ipsec_remote_lan to \
>>>>>>>> $ipsec_local_lan keep state (if-bound)
>>>>>>>> pass out quick on $ipsec_enc_if from $ipsec_local_lan to \
>>>>>>>> $ipsec_remote_lan keep state (if-bound)
>>>>>>>> ...
>>>>>>>>
>>>>>>>> I think it can be something wrong in PF configuration or
>>>>>>>> missed/unfinished touching IPsec traffic filtering.
>>>>>>>>
>>>>>>>> Please advice.
>>>>>>>
>>>>>>> Do you not need a “proto ipencap” on the last two pass-rules that
>>>>>>> permit traffic between your LAN:s?
>>>>>>>
>>>>>>> // Johan
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
