-----Original Message-----
From: owner-m...@openbsd.org <owner-m...@openbsd.org>
Sent: Thursday, 4 November 2021 7:50 AM
To: misc@openbsd.org
Subject: Encrypt traffic using one interface
set skip on lo
set skip on enc0
match in all scrub (no-df)
block return
block in from { $ipv4_exthost, $ipv6_exthost } block in quick on egress from
$localIPs block out quick on egress to $localIPs block in quick from
<abusive_hosts>
pass in on $int_if proto udp from 192.168.1.2 to 192.168.1.1 port 500 pass
out on $int_if proto udp from 192.168.1.1 to 192.168.1.2 port 500 pass in on
$int_if proto esp from 192.168.1.2 to 192.168.1.1 pass out on $int_if proto
esp from 192.168.1.1 to 192.168.1.2 [...]
----
The above should work. It appears that your IKE session is working correctly
(I usually stick with the defaults). Things to try would be placing a
'quick' in your udp/esp rules in the event that there is some rule below it
that we can't see, causing a different outcome. Also, your 'block' above
that rule is pretty aggressive and we have no idea what is in your macros or
table. What happens if you add to these existing rules 'port { 500, 4500 }'.
I know NAT isn't involved here between the two hosts, but I have been
surprised where I haven't used any NAT but still see 4500 traffic for some
reason.
Jason.
