From nobody Fri Sep 24 23:03:06 2021
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D3134175EEC0
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Fri, 24 Sep 2021 23:03:20 +0000 (UTC)
	(envelope-from peter@rulingia.com)
Received: from vtr.rulingia.com (vtr.rulingia.com [IPv6:2001:19f0:5801:ebe:5400:1ff:fe53:30fd])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "vtr.rulingia.com", Issuer "R3" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HGSHq4kx5z4WXS
	for <freebsd-net@freebsd.org>; Fri, 24 Sep 2021 23:03:19 +0000 (UTC)
	(envelope-from peter@rulingia.com)
Received: from server.rulingia.com (2001-44b8-31fc-0d00-d11a-6958-d721-8dd4.static.ipv6.internode.on.net [IPv6:2001:44b8:31fc:d00:d11a:6958:d721:8dd4])
	by vtr.rulingia.com (8.16.1/8.16.1) with ESMTPS id 18ON3B3B054300
	(version=TLSv1.3 cipher=AEAD-AES256-GCM-SHA384 bits=256 verify=OK)
	for <freebsd-net@freebsd.org>; Sat, 25 Sep 2021 09:03:17 +1000 (AEST)
	(envelope-from peter@rulingia.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 vtr.rulingia.com 18ON3B3B054300
X-Bogosity: Ham, spamicity=0.000000
Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1])
	by server.rulingia.com (8.16.1/8.16.1) with ESMTPS id 18ON363G038798
	(version=TLSv1.3 cipher=AEAD-AES256-GCM-SHA384 bits=256 verify=NO)
	for <freebsd-net@freebsd.org>; Sat, 25 Sep 2021 09:03:06 +1000 (AEST)
	(envelope-from peter@server.rulingia.com)
Received: (from peter@localhost)
	by server.rulingia.com (8.16.1/8.16.1/Submit) id 18ON36mN038797
	for freebsd-net@freebsd.org; Sat, 25 Sep 2021 09:03:06 +1000 (AEST)
	(envelope-from peter)
Date: Sat, 25 Sep 2021 09:03:06 +1000
From: Peter Jeremy <peter@rulingia.com>
To: freebsd-net@freebsd.org
Subject: IPSEC problems with pf
Message-ID: <YU5ZKsBQ73UJ71r2@server.rulingia.com>
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="P4hRQtK7GgXDBj0k"
Content-Disposition: inline
X-PGP-Key: http://www.rulingia.com/keys/peter.pgp
X-Rspamd-Queue-Id: 4HGSHq4kx5z4WXS
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=rulingia.com;
	spf=pass (mx1.freebsd.org: domain of peter@rulingia.com designates 2001:19f0:5801:ebe:5400:1ff:fe53:30fd as permitted sender) smtp.mailfrom=peter@rulingia.com
X-Spamd-Result: default: False [-5.90 / 15.00];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 FREEFALL_USER(0.00)[peter];
	 FROM_HAS_DN(0.00)[];
	 R_SPF_ALLOW(-0.20)[+mx:c];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
	 TO_DN_NONE(0.00)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 RCVD_COUNT_THREE(0.00)[3];
	 MID_RHS_MATCH_FROMTLD(0.00)[];
	 NEURAL_HAM_SHORT(-1.00)[-0.998];
	 DMARC_POLICY_ALLOW(-0.50)[rulingia.com,quarantine];
	 SIGNED_PGP(-2.00)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 ASN(0.00)[asn:20473, ipnet:2001:19f0:5800::/38, country:US];
	 RCVD_TLS_ALL(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N


--P4hRQtK7GgXDBj0k
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I'm trying to setup an IPSEC transport connection between my home and
one of my VPS hosts.  I can successfully setup an IPv6 connection from
an internal host to the VPS but can't setup an IPv4 connection from my
firewall to that host.  I'm using openiked-portable in esp transport
mode using psk (at least for testing).
=20
My configuration (much simplified) looks like:
Host ---- firewall ---- (internet) ---- VPS
=20
'Host' has a public IPv6 address and I can successfully setup an IPSEC
transport connection between it and 'VPS'.
=20
IPSEC doesn't work through NAT so I have setup an IPv4 IPSEC transport
layer from firewall to VPS.  The iked processes can exchange isakmp
packets and appear to setup the connection.  Running tcpdump on both
ends, I see:
* "ping VPS" from firewall sends ICMP packets in the clear.  They arrive
  at VPS but there's no response.
* "ping firewall" from VPS sends IPSEC esp packets which arrive at
  firewall but there's no response.

Comparing the pf configurations between firewall and VPS, the main
difference is that the firewall is configured to NAT internal hosts
onto the Internet and RDR some inbound ports to internal hosts.  I
am logging blocked packets so I'm confident that pf is not blocking
the esp packets.

I've tried enabling net.inet.ipsec.debug and that generates occasional
message like "kernel: key_acqdone: ACQ 19 is not found." but that
hasn't helped me solve the problem.

I don't understand:
a) Why outgoing ICMP packets from firewall to VPS aren't going through
   the IPSEC transport.
b) Why firewall is ignoring incoming IPSEC esp packets.

Is anyone able to help?

--=20
Peter Jeremy

--P4hRQtK7GgXDBj0k
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmFOWSJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF
QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi
CzTgBg//S5jZglg7O4reqlnPU+GKQ7cthHAth2YZN4bplbtdsafcZ2owlB7fS4D5
57mie+hPGUinw8PWtPhx+D55QtmZO54XCExDh3I+aCjldyzuUs8ajarRjUTFh3g1
6YUbfvkgoyr1Gp4DE0AfTBZJ3QoZ97iO23jpSrk1JrJcNgIKymt+V5eCuW/8hLuo
dNrw2E9l4l4B3tuHAnTiJpd2wORu4JtA8uDhkHQN1SzVsWqb7+AvGyvgWP/Qt7sE
6oQMweczDZrEgFEe0Oo0fShHCUnI+eRvfb5jUaR9P7pttNbWvYv5CqGviOVQaezw
vd+F+TaHKQ1ke+wPQxnSPDn1r1csW6JNynV/OkTr7wCW6Dl+MI5MyTvyyIaCNQm2
ay2GYwQAo5+dFfp8y4sAoz7SFwaZe/lV1A9g+XTT7ibh5u09pwmLxsyGygvJBwWi
CJWEUlX4pAnpLKc5Z3sV1rn4IW+FmWgwAqiIXwOW8SqTlrXQAGtCjS5OdQvRbJ5v
6ynZcOMSN3dlWJpq2KnZeq+4/rZX21IeghMLr6kBzbx/SMEEiRXy0V4EvidIEQ1b
FXIwUQEYdIiRU5G04Bxmcm7pSdo+08fJBquTreOgI4TjKwCOC0kg+xt+utYVYv6X
GC2eD4KrE+Sp6YM53kbWzvrnwgd9MDHPAqLrZnLUq8tOKGHpWg0=
=GlZP
-----END PGP SIGNATURE-----

--P4hRQtK7GgXDBj0k--