From nobody Sun Apr 23 17:47:49 2023
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q4G293VB2z46Dfl
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Sun, 23 Apr 2023 17:48:01 +0000 (UTC)
	(envelope-from freebsd@dreamchaser.org)
Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "discoveriesinwood.com", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Q4G281x5nz3mCj
	for <freebsd-questions@freebsd.org>; Sun, 23 Apr 2023 17:48:00 +0000 (UTC)
	(envelope-from freebsd@dreamchaser.org)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of freebsd@dreamchaser.org designates 66.109.141.57 as permitted sender) smtp.mailfrom=freebsd@dreamchaser.org;
	dmarc=none
Received: from [192.168.151.122] (breakaway [192.168.151.122])
	by nightmare.dreamchaser.org (8.16.1/8.16.1) with ESMTP id 33NHlnC8029896
	for <freebsd-questions@freebsd.org>; Sun, 23 Apr 2023 11:47:51 -0600 (MDT)
	(envelope-from freebsd@dreamchaser.org)
Message-ID: <f7aaccb7-a2d1-dcd0-dadd-e3fdddd909bb@dreamchaser.org>
Date: Sun, 23 Apr 2023 10:47:49 -0700
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101
 Thunderbird/102.7.0
Content-Language: en-US
To: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Reply-To: freebsd@dreamchaser.org
From: Gary Aitken <freebsd@dreamchaser.org>
Subject: ipfw rules for ikev2/ipsec
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (nightmare.dreamchaser.org [192.168.151.101]); Sun, 23 Apr 2023 11:47:51 -0600 (MDT)
X-Spamd-Result: default: False [2.04 / 15.00];
	NEURAL_SPAM_LONG(0.99)[0.994];
	NEURAL_SPAM_MEDIUM(0.85)[0.854];
	NEURAL_SPAM_SHORT(0.49)[0.490];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	DMARC_NA(0.00)[dreamchaser.org];
	ASN(0.00)[asn:21947, ipnet:66.109.128.0/19, country:US];
	R_DKIM_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org];
	HAS_REPLYTO(0.00)[freebsd@dreamchaser.org];
	RCVD_TLS_LAST(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	TO_DN_ALL(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
	REPLYTO_ADDR_EQ_FROM(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Queue-Id: 4Q4G281x5nz3mCj
X-Spamd-Bar: ++
X-ThisMailContainsUnwantedMimeParts: N

Trying to get a black-box cell booster set up; new to vpn
Internal net is using NAT
Using tcpdump I see the following on my internal net:

IP internal_dhcp_ip.500 > 69.78.33.148.500: isakmp: parent_sa ikev2_init[I]

That looks like it's trying to set up a vpn connection to verizon
using ikev2/ipsec.

I already had the following rule:
   08411 allow udp from any to any out keep-state :default

However, I saw nothing going out.
So added this:
   07120 allow udp from my_internal_net to any 500 keep-state :default

And now I see these going to the outside:

IP a.b.c.d.500 > 69.78.33.148.500: isakmp: parent_sa ikev2_init[I]

However, I see nothing coming back.
Tried adding similar rules for ports 4500, 1500, 1701 but that made
no difference.
Tried adding esp and ah protocols as in:
   07150 allow esp from my_internal_net to any 50 keep-state :default
Not sure how to deal with esp and ah protocols, and ipsec on 1701.

Questions:

1. Why did I need the explicit rule at 7120?  Why doesn't 8411 suffice?
2. What am I missing?

Thanks,

Gary