Related to my iked/carp thread from 5 Mar 2025, I'm wondering
if I'm misunderstanding the intended syntax for iked.conf.
(I've changed the subject line because carp is no longer
an issue).
My understanding of the man page is that a 'skip' should
essentially act as an exclusion rule for the associated networks,
with precedence on the last matching policy, but it doesn't seem to
be working that way; the 'skip' seems to have no effect
on where the packets are sent.
My current iked.conf on FW2a and FW2b is:
======================
ikev2 'g65' default passive esp \
proto { tcp, udp, icmp } \
from any to 192.168.48.1 \
from b.b.b.192/26 to any \
local d.d.d.114 peer c.c.c.c \
srcid g65.example.com
ikev2 'g65-local' skip \
proto { tcp, udp, icmp } \
from b.b.b.192/26 to b.b.b.192/26
======================
I also found that if I define more than one from/to on a skip, then
`iked -n` throws a "could not get local/peer specification" error,
which makes me wonder if the above skip is actually getting parsed
or just getting silently ignored. Adding in a local/peer line to the
skip does not appear to change any behavior.
After disabling the urpf-failed rule in pf.conf, the current
behaviour includes the following.
======= pings that work
- from FW1 to a host on b.b.b.b/26
- from a host on b.b.b.b/26 to FW1's sec0 IP of 192.168.48.1
- from a host on b.b.b.b/26 to an external host on the internet
- from an external host to an internal host on b.b.b.b/26
- from an external host to the carp address b.b.b.193/26
- from an external host to the carp master at b.b.b.194/26
======= pings that fail
- from FW2a (master) to an internal host on b.b.b.b/26
(packets are sent to enc0 rather than vlan5)
- from FW2a (master) to the carp address b.b.b.193
(packets are sent to enc0 rather than vlan5)
- from FW2a (master) to the carp master at b.b.b.194
(packets are sent to enc0 rather than vlan5)
- from a host on b.b.b.b/26 to either the carp address b.b.b.193
or the carp master b.b.b.194. I see the packet inbound on vlan5
but not on any other interfaces, nor in pflog0
====== net diagram, unchanged from previous thread:
ISP1 --- FW1 --- routable Net1 (a.a.a.a/26)
|
IPSec tunnel via upstream ISPs
|
------
| |
| /- |-/--- routable Net2 via ISP1 (b.b.b.b/26)
|/ |/
FW2a FW2b
|\ |\
| \- |-\--- unroutable Net3 (multiple RFC1918 nets
/ / NATed to FW2 carp1, outbound through ISP2)
ISP2 --/----/
All IPs are static:
FW1 external (vio0): c.c.c.c/29
FW1 internal (vio1): a.a.a.1/26
FW1 tunnel (sec0): 192.168.48.1/30
FW2a tunnel (sec0): 192.168.48.2/30
FW2b tunnel (sec0): 192.168.48.2/30 (yes, these are the same)
FW2 internal (carp5): b.b.b.193/26
FW2a internal (vlan5): b.b.b.194/26
FW2b internal (vlan5): b.b.b.195/26
FW2 external (carp1) d.d.d.114/29
FW2a external (em1) d.d.d.115/29
FW2b external (re1) d.d.d.117/29
