Hello,
VPN is mounted but there's no traffic.
For recall :
Factory ip : 22.22.22.22
factory lan : 10.0.0.0/8 --> biNAT--> 192.168.191.0
Our ip : 11.11.11.11
Our lan : 10.0.0.0/24 --> biNAT --> 192.168.192.0
our ftp : 10.0.0.115 --> biNAT --> 192.168.192.115
our OpenBSD Firewal : 10.0.0.113 (ftpproxy) -->biNAT--> 192.168.192.113
In /var/log/daemon and messages, there's no error, so i think that the
error comes from my pf.conf file.
pfctl -s states ::
---------------
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1311
ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1311 -> 10.0.0.114:25 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1316
ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1316 -> 10.0.0.114:25 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.100.193:1320
ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1320 -> 10.0.0.114:110 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1328
ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1328 -> 10.0.0.114:25 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.99.118:2600
FIN_WAIT_2:FIN_WAIT_2
all tcp 193.253.99.118:2600 -> 10.0.0.114:110 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.99.118:2979
FIN_WAIT_2:FIN_WAIT_2
all tcp 193.253.99.118:2979 -> 10.0.0.114:110 FIN_WAIT_2:FIN_WAIT_2
all esp 11.11.11.11 <- 22.22.22.22 NO_TRAFFIC:SINGLE
tcpdump -nettti pflog0 ::
----------------------
Sep 22 09:10:15.348127 rule 0/(match) block in on bge0: 192.168.0.13.138 >
192.168.0.255.138: udp 201
Sep 22 09:10:16.268114 rule 0/(match) block out on rl0:
192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:16.270094 rule 0/(match) block out on rl0:
192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:19.442729 rule 0/(match) block out on rl0:
192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:19.442782 rule 0/(match) block out on rl0:
192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:21.744797 rule 0/(match) block in on bge0: 10.0.0.114.138 >
10.0.0.255.138: udp 204
Sep 22 09:10:26.004802 rule 0/(match) block out on rl0:
192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:26.004856 rule 0/(match) block out on rl0:
192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:55.980627 rule 0/(match) block in on bge0: 192.168.0.92 >
224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:55.987199 rule 0/(match) block in on bge0: 192.168.0.92 >
224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.055641 rule 0/(match) block in on bge0: 192.168.0.92 >
224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.132420 rule 0/(match) block in on bge0: 192.168.0.92 >
224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.177171 rule 0/(match) block in on bge0: 192.168.0.92 >
224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.347699 rule 0/(match) block in on bge0: 192.168.0.92 >
224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:11:00.759127 rule 0/(match) block in on bge0: 192.168.0.92.138 >
192.168.0.255.138: udp 201
Sep 22 09:11:09.724487 rule 0/(match) block out on rl0:
192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:09.724542 rule 0/(match) block out on rl0:
192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:11.743450 rule 0/(match) block in on bge0: 10.0.0.115.137 >
10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:12.925128 rule 0/(match) block out on rl0:
192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:12.927137 rule 0/(match) block out on rl0:
192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:13.743026 rule 0/(match) block in on bge0: 10.0.0.115.137 >
10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:13.743317 rule 0/(match) block in on bge0: 10.0.0.115.137 >
10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:15.742900 rule 0/(match) block in on bge0: 10.0.0.115.137 >
10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:15.743629 rule 0/(match) block in on bge0: 10.0.0.115.138 >
10.0.0.255.138: udp 183 (DF)
Sep 22 09:11:19.487204 rule 0/(match) block out on rl0:
192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:19.489208 rule 0/(match) block out on rl0:
192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:02.397661 rule 0/(match) block out on rl0:
192.168.191.254.20978 > 192.168.192.113.21: S 313707294:313707294(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:02.399746 rule 0/(match) block out on rl0:
192.168.191.254.21081 > 192.168.192.115.21: S 32318798:32318798(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:05.642545 rule 0/(match) block out on rl0:
192.168.191.254.20978 > 192.168.192.113.21: S 313707294:313707294(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:05.644562 rule 0/(match) block out on rl0:
192.168.191.254.21081 > 192.168.192.115.21: S 32318798:32318798(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
tcpdump -i enc0 ::
----------------
09:04:06.296541 (authentic,confidential): SPI 0x5a2c3acf:
192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:06.296601 (authentic,confidential): SPI 0x5a2c3acf:
192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:09.541372 (authentic,confidential): SPI 0x5a2c3acf:
192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:09.543372 (authentic,confidential): SPI 0x5a2c3acf:
192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:16.103470 (authentic,confidential): SPI 0x5a2c3acf:
192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:16.103526 (authentic,confidential): SPI 0x5a2c3acf:
192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:59.771111 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:59.772896 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:03.025847 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:03.025899 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:09.587923 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:09.587980 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:52.420076 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:52.420132 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:55.632782 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:55.634783 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:02.196911 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:02.196973 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:45.908543 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:45.908595 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.10421 > 192.168.192.115.ftp: S 1560911767:1560911767(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:49.117237 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:49.119247 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.10421 > 192.168.192.115.ftp: S 1560911767:1560911767(0) win
16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:55.679310 (authentic,confidential): SPI 0xb98d4b73:
192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
My ipsec.conf file :
-----------------------
ike esp from 192.168.192.0/24 (10.0.0.0/24) to 192.168.191.0/24 \
peer 22.22.22.22 \
main auth hmac-sha1 enc aes-256 group modp1024 \
quick auth hmac-sha1 enc aes-256 group modp1024 \
psk "haiku"
My pf.conf file :
-------------------
lan="bge0:network"
int_if="bge0"
gw="11.11.11.11"
ftp_server="10.0.0.115"
mailserver="10.0.0.114"
clients_out="{ ssh, www, https, imap, imaps, pop3, pop3s, smtp, smtps, \
3389, ftp, 8443, http, ftp-data, 8080, submission, sftp }"
set require-order no
set skip on { lo, enc0 }
set block-policy drop
scrub in
nat-anchor "ftp-proxy/*"
nat on egress from $lan -> egress
binat on enc0 inet from 10.0.0.0/24 to 192.168.191.0/24 -> \
192.168.192.0/24
rdr-anchor "ftp-proxy/*"
rdr on egress proto tcp from any to any port smtp -> $mailserver
rdr on egress proto tcp from any to any port pop3 -> $mailserver
rdr on egress proto tcp from any to any port 80 -> $mailserver
rdr on egress proto tcp from any to any port https -> $mailserver
block log all
pass quick proto esp keep state
pass quick proto udp to port { isakmp, ipsec-nat-t } keep state
pass log on enc0
pass quick inet proto { tcp, udp } from $lan to any port domain
pass inet proto icmp all icmp-type { echoreq, unreach }
pass inet proto tcp from $lan to any port $clients_out
pass out on egress from $gw to any
pass in on egress inet proto tcp to $gw port 21 \
flags S/SA keep state
pass out on $int_if inet proto tcp to $ftp_server port 21 \
user proxy flags S/SA keep state
anchor "ftp-proxy/*"
pass proto tcp to $mailserver port { smtp, pop3, 80, https }
*******************************************
If someone can help me please ...
