Hello misc
I have a problem with ikev2 pf rules, could someone help please?:
Server pf recommend at openbsd web:
pass in log on $ext_if proto udp from 198.51.100.1 to 192.0.2.1 port
{isakmp, ipsec-nat-t} tag IKED
pass in log on $ext_if proto esp from 198.51.100.1 to 192.0.2.1 tag IKED
Clients:
pass in log on $ext_if proto udp from 198.51.100.1 to 192.0.2.1 port
{isakmp, ipsec-nat-t} tag IKED
pass in log on $ext_if proto esp from 198.51.100.1 to 192.0.2.1 tag IKED
Do i have to change $ext_if for lo0, wg0, enc0 or any other thing please?
Somebody at IRC, said that the answer can be gotten with ifconfig!
# ifconfig
lo0: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST,LRO> mtu 32768
index 3 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
vio0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr f6:4b:aa:66:9f:02
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 104.167.242.198 netmask 0xffffff00 broadcast 104.167.242.255
inet6 fe80::f44b:aaff:fe66:9f02%vio0 prefixlen 64 scopeid 0x1
inet6 2602:fccf:1:2198:: prefixlen 48
enc0: flags=0<>
index 2 priority 0 llprio 3
groups: enc
status: active
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 4 priority 0 llprio 3
wgport 51820
wgpubkey /ALPoVJpM1d43GN3yzrAY2lpNNfYV/NyEmOhSC/wzlA=
groups: wg
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 5 priority 0 llprio 3
groups: pflog
--------------------------------
Full pf.conf Server:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# iked
pass in log on vio0 proto udp from 24.80.177.18 to 104.167.242.198 port
{isakmp, ipsec-nat-t} tag IKED
pass in log on vio0 proto esp from 24.80.177.18 to 104.167.242.198 tag IKED
# iked RW
pass in log on vio0 proto udp from any to 104.167.242.198 port {isakmp,
ipsec-nat-t} tag IKED
pass in log on vio0 proto esp from any to 104.167.242.198 tag IKED
pass log on enc0 tagged ROADW
match out log on vio0 inet tagged ROADW nat-to vio0
# WireGuard
pass in on wg0
pass in inet proto udp from any to any port 51820
pass out on egress inet from (wg0:network) nat-to (vio0:0)
# OpenVPN
#
#
#
-----------------------------------------
Not related but ...:
full Server wg0.conf
[Interface]
PrivateKey = aaa=
ListenPort = 51820
### client OpenBSD
[Peer]
PublicKey = xxxxxxxxxxxxx=
AllowedIPs = 10.0.0.2/32
### client Debian
[Peer]
PublicKey = xxxxxxxxxxxxx=
AllowedIPs = 10.0.0.3/32
### client Slackware
# [Peer]
# PublicKey = CCCC
# AllowedIPs = 10.0.0.4/32
### client Mac
# [Peer]
# PublicKey = CCCC
# AllowedIPs = 10.0.0.5/32
### client Windows
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.0.0.6/32
### client iPhone
# [Peer]
# PublicKey = EEEE
# AllowedIPs = 10.0.0.7/32
### client android
# [Peer]
# PublicKey = FFFF
# AllowedIPs = 10.0.0.8/32
Thanks for your attention.
