From nobody Sat Sep 25 00:03:01 2021 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D22B317C38B7 for ; Sat, 25 Sep 2021 00:03:10 +0000 (UTC) (envelope-from charles@freebsdbrasil.com.br) Received: from leviatan.freebsdbrasil.com.br (leviatan.freebsdbrasil.com.br [177.10.156.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4HGTct35Qvz4bD3 for ; Sat, 25 Sep 2021 00:03:10 +0000 (UTC) (envelope-from charles@freebsdbrasil.com.br) Received: (qmail 93182 invoked from network); 24 Sep 2021 21:03:02 -0300 Received: by simscan 1.4.0 ppid: 93173, pid: 93179, t: 0.1349s scanners: clamav: 0.102.3/m:59/d:25889 Received: from unknown ([127.0.0.1]) (envelope-sender ) by capeta.freebsdbrasil.com.br (qmail-ldap-1.03) with SMTP for ; 24 Sep 2021 21:03:01 -0300 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Date: Fri, 24 Sep 2021 21:03:01 -0300 From: charles@freebsdbrasil.com.br To: Peter Jeremy Cc: freebsd-net@freebsd.org Subject: Re: IPSEC problems with pf In-Reply-To: References: User-Agent: Roundcube Webmail/1.4.4 Message-ID: <175f93f5201e491589ecc38cac7b89af@freebsdbrasil.com.br> X-Sender: charles@freebsdbrasil.com.br Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4HGTct35Qvz4bD3 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N Em 2021-09-24 20:03, Peter Jeremy escreveu: > I'm trying to setup an IPSEC transport connection between my home and > one of my VPS hosts. I can successfully setup an IPv6 connection from > an internal host to the VPS but can't setup an IPv4 connection from my > firewall to that host. I'm using openiked-portable in esp transport > mode using psk (at least for testing). > > My configuration (much simplified) looks like: > Host ---- firewall ---- (internet) ---- VPS > > 'Host' has a public IPv6 address and I can successfully setup an IPSEC > transport connection between it and 'VPS'. > > IPSEC doesn't work through NAT so I have setup an IPv4 IPSEC transport > layer from firewall to VPS. The iked processes can exchange isakmp > packets and appear to setup the connection. Running tcpdump on both > ends, I see: > * "ping VPS" from firewall sends ICMP packets in the clear. They > arrive > at VPS but there's no response. > * "ping firewall" from VPS sends IPSEC esp packets which arrive at > firewall but there's no response. > > Comparing the pf configurations between firewall and VPS, the main > difference is that the firewall is configured to NAT internal hosts > onto the Internet and RDR some inbound ports to internal hosts. I > am logging blocked packets so I'm confident that pf is not blocking > the esp packets. > > I've tried enabling net.inet.ipsec.debug and that generates occasional > message like "kernel: key_acqdone: ACQ 19 is not found." but that > hasn't helped me solve the problem. > > I don't understand: > a) Why outgoing ICMP packets from firewall to VPS aren't going through > the IPSEC transport. > b) Why firewall is ignoring incoming IPSEC esp packets. > > Is anyone able to help? Hello! I have a client with similar conf Fortigate Local(IPSec) <-> FreeBSD with PF <-> Internet <-> Foritgate Remote(IPSec) In pf.conf something like this: FORTIGATE_LOCAL=10.0.0.11 EXT_IP=192.168.0.10 # normalization scrub in all fragment reassemble # NAT output nat on $IF_EXT from $FORTIGATE_LOCAL to any -> $EXT_IP # NAT IPSEC nat on $IF_EXT proto udp from $FORTIGATE_LOCAL port { 500, 4500 } to any -> $EXT_IP static-port nat on $IF_EXT proto esp from $FORTIGATE_LOCAL to any -> $EXT_IP static-port # rdr admin-fortigate rdr pass on $IF_EXT from any to $EXT_IP -> $FORTIGATE_LOCAL # internet output pass out on $IF_EXT from $EXT_IP to any I hope it's useful!