Date: Sat, 25 Sep 2021 09:03:06 +1000 From: Peter Jeremy <peter@rulingia.com> To: freebsd-net@freebsd.org Subject: IPSEC problems with pf Message-ID: <YU5ZKsBQ73UJ71r2@server.rulingia.com>
next in thread | raw e-mail | index | archive | help
--P4hRQtK7GgXDBj0k Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm trying to setup an IPSEC transport connection between my home and one of my VPS hosts. I can successfully setup an IPv6 connection from an internal host to the VPS but can't setup an IPv4 connection from my firewall to that host. I'm using openiked-portable in esp transport mode using psk (at least for testing). =20 My configuration (much simplified) looks like: Host ---- firewall ---- (internet) ---- VPS =20 'Host' has a public IPv6 address and I can successfully setup an IPSEC transport connection between it and 'VPS'. =20 IPSEC doesn't work through NAT so I have setup an IPv4 IPSEC transport layer from firewall to VPS. The iked processes can exchange isakmp packets and appear to setup the connection. Running tcpdump on both ends, I see: * "ping VPS" from firewall sends ICMP packets in the clear. They arrive at VPS but there's no response. * "ping firewall" from VPS sends IPSEC esp packets which arrive at firewall but there's no response. Comparing the pf configurations between firewall and VPS, the main difference is that the firewall is configured to NAT internal hosts onto the Internet and RDR some inbound ports to internal hosts. I am logging blocked packets so I'm confident that pf is not blocking the esp packets. I've tried enabling net.inet.ipsec.debug and that generates occasional message like "kernel: key_acqdone: ACQ 19 is not found." but that hasn't helped me solve the problem. I don't understand: a) Why outgoing ICMP packets from firewall to VPS aren't going through the IPSEC transport. b) Why firewall is ignoring incoming IPSEC esp packets. Is anyone able to help? --=20 Peter Jeremy --P4hRQtK7GgXDBj0k Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmFOWSJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzTgBg//S5jZglg7O4reqlnPU+GKQ7cthHAth2YZN4bplbtdsafcZ2owlB7fS4D5 57mie+hPGUinw8PWtPhx+D55QtmZO54XCExDh3I+aCjldyzuUs8ajarRjUTFh3g1 6YUbfvkgoyr1Gp4DE0AfTBZJ3QoZ97iO23jpSrk1JrJcNgIKymt+V5eCuW/8hLuo dNrw2E9l4l4B3tuHAnTiJpd2wORu4JtA8uDhkHQN1SzVsWqb7+AvGyvgWP/Qt7sE 6oQMweczDZrEgFEe0Oo0fShHCUnI+eRvfb5jUaR9P7pttNbWvYv5CqGviOVQaezw vd+F+TaHKQ1ke+wPQxnSPDn1r1csW6JNynV/OkTr7wCW6Dl+MI5MyTvyyIaCNQm2 ay2GYwQAo5+dFfp8y4sAoz7SFwaZe/lV1A9g+XTT7ibh5u09pwmLxsyGygvJBwWi CJWEUlX4pAnpLKc5Z3sV1rn4IW+FmWgwAqiIXwOW8SqTlrXQAGtCjS5OdQvRbJ5v 6ynZcOMSN3dlWJpq2KnZeq+4/rZX21IeghMLr6kBzbx/SMEEiRXy0V4EvidIEQ1b FXIwUQEYdIiRU5G04Bxmcm7pSdo+08fJBquTreOgI4TjKwCOC0kg+xt+utYVYv6X GC2eD4KrE+Sp6YM53kbWzvrnwgd9MDHPAqLrZnLUq8tOKGHpWg0= =GlZP -----END PGP SIGNATURE----- --P4hRQtK7GgXDBj0k--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YU5ZKsBQ73UJ71r2>