Re: IPSEC problems with pf

In reply to: Peter Jeremy : "IPSEC problems with pf"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <charles_at_freebsdbrasil.com.br>
Date: Sat, 25 Sep 2021 00:03:01 UTC
Em 2021-09-24 20:03, Peter Jeremy escreveu:
> I'm trying to setup an IPSEC transport connection between my home and
> one of my VPS hosts.  I can successfully setup an IPv6 connection from
> an internal host to the VPS but can't setup an IPv4 connection from my
> firewall to that host.  I'm using openiked-portable in esp transport
> mode using psk (at least for testing).
> 
> My configuration (much simplified) looks like:
> Host ---- firewall ---- (internet) ---- VPS
> 
> 'Host' has a public IPv6 address and I can successfully setup an IPSEC
> transport connection between it and 'VPS'.
> 
> IPSEC doesn't work through NAT so I have setup an IPv4 IPSEC transport
> layer from firewall to VPS.  The iked processes can exchange isakmp
> packets and appear to setup the connection.  Running tcpdump on both
> ends, I see:
> * "ping VPS" from firewall sends ICMP packets in the clear.  They 
> arrive
>   at VPS but there's no response.
> * "ping firewall" from VPS sends IPSEC esp packets which arrive at
>   firewall but there's no response.
> 
> Comparing the pf configurations between firewall and VPS, the main
> difference is that the firewall is configured to NAT internal hosts
> onto the Internet and RDR some inbound ports to internal hosts.  I
> am logging blocked packets so I'm confident that pf is not blocking
> the esp packets.
> 
> I've tried enabling net.inet.ipsec.debug and that generates occasional
> message like "kernel: key_acqdone: ACQ 19 is not found." but that
> hasn't helped me solve the problem.
> 
> I don't understand:
> a) Why outgoing ICMP packets from firewall to VPS aren't going through
>    the IPSEC transport.
> b) Why firewall is ignoring incoming IPSEC esp packets.
> 
> Is anyone able to help?


Hello!

I have a client with similar conf

Fortigate Local(IPSec) <-> FreeBSD with PF <-> Internet <-> Foritgate 
Remote(IPSec)

In pf.conf something like this:

FORTIGATE_LOCAL=10.0.0.11
EXT_IP=192.168.0.10
# normalization
scrub in all fragment reassemble
# NAT output
nat on $IF_EXT from $FORTIGATE_LOCAL to any -> $EXT_IP
# NAT IPSEC
nat on $IF_EXT proto udp from $FORTIGATE_LOCAL port { 500, 4500 } to any 
-> $EXT_IP static-port
nat on $IF_EXT proto esp from $FORTIGATE_LOCAL to any -> $EXT_IP 
static-port
# rdr admin-fortigate
rdr pass on $IF_EXT from any to $EXT_IP -> $FORTIGATE_LOCAL
# internet output
pass out on $IF_EXT from $EXT_IP to any

I hope it's useful!