I can even ping any internet host from road warrior's LAN interface when iked
is connected:
$ ping -I 192.168.0.1 remote_host.com -> works as should be
But no any traffic from 192.168.0.10 host except successful DNS
queries/responses from/to Road Warrior's local DNS resolver.
$ telnet remote_host.com 80 -> from 192.168.0.10 LAN host is always fail. I can
see ACKs from remote_host.com 80 from IPsec virtual 10.0.1.2 to
192.168.0.10:80, but no connection.
All traffic goes trough Road Warrior's global VPN NAT rule when VPN is
connected:
match out log on enc0 inet all nat-to 10.0.1.2
OR trough egress when VPN is disconnected:
match out log on egress from {lo0, 192.168.0.0/24} to any nat-to (egress:0)
# Outgoing www, https traffic
pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
port {www, https} modulate state
pass out on enc0 inet proto tcp from 10.0.1.2 to any \
port {www, https} flags S/SA modulate state
pass out on (egress) inet proto tcp from (egress) to any \
port {www, https} flags S/SA modulate state
When Road Warrior's VPN is disconnected, any LAN client can connect any
internet host as usual.
Please advice.
Martin
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, February 3, 2020 9:03 PM, Martin Got <martin...@protonmail.com>
wrote:
> OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6
> based road warrior -
> client with dynamic IP. VPN works stable even using a link behind ISP NAT
> with ping latency from
> ~750ms to ~1100ms. Hope latency about 1000ms can't be related to the issue
> because all the tests
> with disconnected/connected VPN have been made on the same ISP channel.
>
> Any of the hosts from LAN (192.168.0.0/24) connected to the road warrior can
> reach external Internet
> hosts with disconnected VPN only.
>
> If VPN is connected, no one host from road warrior's LAN can reach any
> internet host.
> But any of LAN host can connect to road warrior's local services listening on
> lo0 even with VPN is
> connected or not.
>
> So I can't ping any Internet host from road warrior's LAN host if VPN is
> connected, but I can ping
> outside Internet hosts from road warriors' localhost itself. In PF ICMP set
> from any to any and ping
> works to any Internet host if VPN is disabled. I think it can't be bound to
> firewall rules, maybe
> timeouts of PF connection states. I'm completely not sure about it.
>
> When VPN is connected, all roadwarrior's LAN traffic is disabled for some
> reason, tcpdump shows
> requests and replies to LAN's host on enc0 but initiator (192.168.0.5) don't
> receive any replies. I
> don't know why?
>
> $ tcpdump -en -i pflog0
> 10:12:43.598785 rule 4/(match) match out on enc0: 10.0.1.2 > 8.8.8.8: icmp:
> echo request
> 10:12.43.598814 rule 563/(match) pass out on enc0: 10.0.1.2 > 8.8.8.8: icmp:
> echo request
> 10.12.44.277267 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5:
> icmp: echo reply
> 10.12.47.277848 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5:
> icmp: echo reply
>
> LAN clients' can reach road warrior's localhost bound services like DNS,
> proxy and it doesn't matter
> if VPN enabled or not, but no any outbound traffic with enabled VPN.
>
> Road warrior client has one NAT in PF to transmit packets from it's local IP
> address when VPN is
> disabled, and second NAT rule to transmit packets when IKEv2 VPN is connected
> like:
>
> $ pf.conf (client)
>
> ---NAT
>
> =======
>
> match out log on enc0 inet all nat-to 10.0.1.2
> match out log on rdomain 0 from {lo0, 192.168.0.0/24} to any nat-to (egress:0)
>
> ---ICMP
>
> ========
>
> pass in log quick on 192.168.0.1 inet proto icmp all icmp-type \
> echoreq, timex, paramprob, unreach code needfrag keep state
> pass out log inet proto icmp all
>
> ---Web
>
> =======
>
> pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
> port {www, https} modulate state
> pass out on enc0 inet proto tcp from 10.0.1.2 to any \
> port {www, https} flags S/SA modulate state
> pass out on (egress) inet proto tcp from (egress) to any \
> port {www, https} flags S/SA modulate state
>
> ---IPsec
>
> =========
>
> pass in log on (egress) inet proto esp from any to (egress) port {isakmp,
> ipsec-nat-t}
> pass out log on (egress) inet proto udp from (egress) to any port {isakmp,
> ipsec-nat-t} keep state
>
> pass in log on enc0 inet proto ipencap from any to (egress) keep state
> (if-bound)
> pass out log on enc0 inet proto ipencap from (egress) to any keep state
> (if-bound)
>
> pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
> pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
>
> ---
>
> ====
>
> /etc/sysctl.conf has
>
> =====================
>
> net.inet.ip.forwarding=1
>
> I bypass all the possible SA flows from/to road warrior's LAN in
> /etc/ipsec.conf, and all traffic
> from/to road warrior's localhost services so DNS works as expected (DNS
> listens on road warrior's
> localhost and all queries were redirected by rdr-to rule in PF).
>
> $ /etc/ipsec.conf (client)
> flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass
>
> flow from 127.0.0.1/32 to 192.168.0.0/24 type bypass
> flow from 192.168.0.0/24 to 127.0.0.1/32 type bypass
> flow from 192.168.0.0/24 to 192.168.0.0/24 type bypass
>
> $ /etc/iked.conf (client)
> ikev2 "road-warrior" active esp \
> from 0.0.0.0/0 to 0.0.0.0/0 \
> local 1.2.3.4 peer 4.3.2.1 \
> srcid roadw.vpn dstid srv.vpn \
> ikelifetime 80m lifetime 100m bytes 256m \
> tag "IKED" \
> tap "enc0"
>
> rcctl -f start iked (client)
>
> =============================
>
> iked(OK)
>
> ipsecctl -f /etc/ipsec.conf (client)
>
> =====================================
>
> ipsecctl -sa (client)
>
> ======================
>
> FLOWS:
> flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn
> dstid FQDN/srv.vpn type
>
> use
> flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass
> flow esp in from 192.168.0.0/24 to 127.0.0.1 type bypass
> flow esp in from 127.0.0.1 to 192.168.0.0/24 type bypass
> flow esp in from 127.0.0.1 to 127.0.0.1 type bypass
>
> flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn
> dstid FQDN/srv.vpn type
>
> require
> flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass
> flow esp out from 192.168.0.0/24 to 127.0.0.1 type bypass
> flow esp out from 127.0.0.1 to 192.168.0.0/24 type bypass
> flow esp out from 127.0.0.1 to 127.0.0.1 type bypass
>
> SAD:
> esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0xe34780e9 auth hmac-sha2-512 enc
> aes-256
> esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0xe75f7182 auth hmac-sha2-512 enc
> aes-256
>
> /etc/iked.conf (server)
>
> ========================
>
> ikev2 "server" passive esp \
> from 0.0.0.0/0 to 10.0.1.0/24 \
> local 4.3.2.1 peer any \
> srcid srv.vpn \
> ikelifetime 140m lifetime 200m bytes 110m \
> tag "IKED" \
> tap "enc0"
