OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6
based road warrior -
client with dynamic IP. VPN works stable even using a link behind ISP NAT with
ping latency from
~750ms to ~1100ms. Hope latency about 1000ms can't be related to the issue
because all the tests
with disconnected/connected VPN have been made on the same ISP channel.
Any of the hosts from LAN (192.168.0.0/24) connected to the road warrior can
reach external Internet
hosts with disconnected VPN only.
If VPN is connected, no one host from road warrior's LAN can reach any internet
host.
But any of LAN host can connect to road warrior's local services listening on
lo0 even with VPN is
connected or not.
So I can't ping any Internet host from road warrior's LAN host if VPN is
connected, but I can ping
outside Internet hosts from road warriors' localhost itself. In PF ICMP set
from any to any and ping
works to any Internet host if VPN is disabled. I think it can't be bound to
firewall rules, maybe
timeouts of PF connection states. I'm completely not sure about it.
When VPN is connected, all roadwarrior's LAN traffic is disabled for some
reason, tcpdump shows
requests and replies to LAN's host on enc0 but initiator (192.168.0.5) don't
receive any replies. I
don't know why?
$ tcpdump -en -i pflog0
10:12:43.598785 rule 4/(match) match out on enc0: 10.0.1.2 > 8.8.8.8: icmp:
echo request
10:12.43.598814 rule 563/(match) pass out on enc0: 10.0.1.2 > 8.8.8.8: icmp:
echo request
10.12.44.277267 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: icmp:
echo reply
10.12.47.277848 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: icmp:
echo reply
LAN clients' can reach road warrior's localhost bound services like DNS, proxy
and it doesn't matter
if VPN enabled or not, but no any outbound traffic with enabled VPN.
Road warrior client has one NAT in PF to transmit packets from it's local IP
address when VPN is
disabled, and second NAT rule to transmit packets when IKEv2 VPN is connected
like:
$ pf.conf (client)
# ---NAT
match out log on enc0 inet all nat-to 10.0.1.2
match out log on rdomain 0 from {lo0, 192.168.0.0/24} to any nat-to (egress:0)
# ---ICMP
pass in log quick on 192.168.0.1 inet proto icmp all icmp-type \
echoreq, timex, paramprob, unreach code needfrag keep state
pass out log inet proto icmp all
# ---Web
pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
port {www, https} modulate state
pass out on enc0 inet proto tcp from 10.0.1.2 to any \
port {www, https} flags S/SA modulate state
pass out on (egress) inet proto tcp from (egress) to any \
port {www, https} flags S/SA modulate state
# ---IPsec
pass in log on (egress) inet proto esp from any to (egress) port {isakmp,
ipsec-nat-t}
pass out log on (egress) inet proto udp from (egress) to any port {isakmp,
ipsec-nat-t} keep state
pass in log on enc0 inet proto ipencap from any to (egress) keep state
(if-bound)
pass out log on enc0 inet proto ipencap from (egress) to any keep state
(if-bound)
pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
# ---
# /etc/sysctl.conf has
net.inet.ip.forwarding=1
I bypass all the possible SA flows from/to road warrior's LAN in
/etc/ipsec.conf, and all traffic
from/to road warrior's localhost services so DNS works as expected (DNS listens
on road warrior's
localhost and all queries were redirected by rdr-to rule in PF).
$ /etc/ipsec.conf (client)
flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass
flow from 127.0.0.1/32 to 192.168.0.0/24 type bypass
flow from 192.168.0.0/24 to 127.0.0.1/32 type bypass
flow from 192.168.0.0/24 to 192.168.0.0/24 type bypass
$ /etc/iked.conf (client)
ikev2 "road-warrior" active esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local 1.2.3.4 peer 4.3.2.1 \
srcid roadw.vpn dstid srv.vpn \
ikelifetime 80m lifetime 100m bytes 256m \
tag "IKED" \
tap "enc0"
# rcctl -f start iked (client)
iked(OK)
# ipsecctl -f /etc/ipsec.conf (client)
# ipsecctl -sa (client)
FLOWS:
flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn dstid
FQDN/srv.vpn type
use
flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass
flow esp in from 192.168.0.0/24 to 127.0.0.1 type bypass
flow esp in from 127.0.0.1 to 192.168.0.0/24 type bypass
flow esp in from 127.0.0.1 to 127.0.0.1 type bypass
flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn
dstid FQDN/srv.vpn type
require
flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass
flow esp out from 192.168.0.0/24 to 127.0.0.1 type bypass
flow esp out from 127.0.0.1 to 192.168.0.0/24 type bypass
flow esp out from 127.0.0.1 to 127.0.0.1 type bypass
SAD:
esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0xe34780e9 auth hmac-sha2-512 enc aes-256
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0xe75f7182 auth hmac-sha2-512 enc aes-256
# /etc/iked.conf (server)
ikev2 "server" passive esp \
from 0.0.0.0/0 to 10.0.1.0/24 \
local 4.3.2.1 peer any \
srcid srv.vpn \
ikelifetime 140m lifetime 200m bytes 110m \
tag "IKED" \
tap "enc0"
