No traffic from/to road warrior's LAN hosts when IKEv2 VPN is connected

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

No traffic from/to road warrior's LAN hosts when IKEv2 VPN is connected

Martin Got
OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6 based road warrior -
client with dynamic IP. VPN works stable even using a link behind ISP NAT with ping latency from
~750ms to ~1100ms. Hope latency about 1000ms can't be related to the issue because all the tests
with disconnected/connected VPN have been made on the same ISP channel.

Any of the hosts from LAN (192.168.0.0/24) connected to the road warrior can reach external Internet
hosts with disconnected VPN only.

If VPN is connected, no one host from road warrior's LAN can reach any internet host.
But any of LAN host can connect to road warrior's local services listening on lo0 even with VPN is
connected or not.

So I can't ping any Internet host from road warrior's LAN host if VPN is connected, but I can ping
outside Internet hosts from road warriors' localhost itself. In PF ICMP set from any to any and ping
works to any Internet host if VPN is disabled. I think it can't be bound to firewall rules, maybe
timeouts of PF connection states. I'm completely not sure about it.

When VPN is connected, all roadwarrior's LAN traffic is disabled for some reason, tcpdump shows
requests and replies to LAN's host on enc0 but initiator (192.168.0.5) don't receive any replies. I
don't know why?

$ tcpdump -en -i pflog0
10:12:43.598785 rule 4/(match) match out on enc0: 10.0.1.2 > 8.8.8.8: icmp: echo request
10:12.43.598814 rule 563/(match) pass out on enc0: 10.0.1.2 > 8.8.8.8: icmp: echo request
10.12.44.277267 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: icmp: echo reply
10.12.47.277848 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: icmp: echo reply

LAN clients' can reach road warrior's localhost bound services like DNS, proxy and it doesn't matter
if VPN enabled or not, but no any outbound traffic with enabled VPN.

Road warrior client has one NAT in PF to transmit packets from it's local IP address when VPN is
disabled, and second NAT rule to transmit packets when IKEv2 VPN is connected like:

$ pf.conf (client)
# ---NAT
match out log on enc0 inet all nat-to 10.0.1.2
match out log on rdomain 0 from {lo0, 192.168.0.0/24} to any nat-to (egress:0)

# ---ICMP
pass in log quick on 192.168.0.1 inet proto icmp all icmp-type \
echoreq, timex, paramprob, unreach code needfrag keep state
pass out log inet proto icmp all

# ---Web
pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
port {www, https} modulate state
pass out on enc0 inet proto tcp from 10.0.1.2 to any \
port {www, https} flags S/SA modulate state
pass out on (egress) inet proto tcp from (egress) to any \
port {www, https} flags S/SA modulate state

# ---IPsec
pass in log on (egress) inet proto esp from any to (egress) port {isakmp, ipsec-nat-t}
pass out log on (egress) inet proto udp from (egress) to any port {isakmp, ipsec-nat-t} keep state

pass in log on enc0 inet proto ipencap from any to (egress) keep state (if-bound)
pass out log on enc0 inet proto ipencap from (egress) to any keep state (if-bound)

pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
# ---

# /etc/sysctl.conf has
net.inet.ip.forwarding=1

I bypass all the possible SA flows from/to road warrior's LAN in /etc/ipsec.conf, and all traffic
from/to road warrior's localhost services so DNS works as expected (DNS listens on road warrior's
localhost and all queries were redirected by rdr-to rule in PF).

$ /etc/ipsec.conf (client)
flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass

flow from 127.0.0.1/32 to 192.168.0.0/24 type bypass
flow from 192.168.0.0/24 to 127.0.0.1/32 type bypass
flow from 192.168.0.0/24 to 192.168.0.0/24 type bypass


$ /etc/iked.conf (client)
ikev2 "road-warrior" active esp \
        from 0.0.0.0/0 to 0.0.0.0/0 \
        local 1.2.3.4 peer 4.3.2.1 \
        srcid roadw.vpn dstid srv.vpn \
        ikelifetime 80m lifetime 100m bytes 256m \
        tag "IKED" \
  tap "enc0"

# rcctl -f start iked (client)
iked(OK)

# ipsecctl -f /etc/ipsec.conf (client)

# ipsecctl -sa (client)
FLOWS:
flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn dstid FQDN/srv.vpn type

use
flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass
flow esp in from 192.168.0.0/24 to 127.0.0.1 type bypass
flow esp in from 127.0.0.1 to 192.168.0.0/24 type bypass
flow esp in from 127.0.0.1 to 127.0.0.1 type bypass

flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn dstid FQDN/srv.vpn type

require
flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass
flow esp out from 192.168.0.0/24 to 127.0.0.1 type bypass
flow esp out from 127.0.0.1 to 192.168.0.0/24 type bypass
flow esp out from 127.0.0.1 to 127.0.0.1 type bypass

SAD:
esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0xe34780e9 auth hmac-sha2-512 enc aes-256
esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0xe75f7182 auth hmac-sha2-512 enc aes-256

# /etc/iked.conf (server)
ikev2 "server" passive esp \
        from 0.0.0.0/0 to 10.0.1.0/24 \
        local 4.3.2.1 peer any \
        srcid srv.vpn \
        ikelifetime 140m lifetime 200m bytes 110m \
        tag "IKED" \
        tap "enc0"

Reply | Threaded
Open this post in threaded view
|

Re: No traffic from/to road warrior's LAN hosts when IKEv2 VPN is connected

Martin Got
Hello @misc,

I'm still can't resolve the issue with outgoing connections from OpenBSD RoadWarrior's LAN clients, but connections from Road Warrior's localhost go tru VPN as it should be.

Any Ideas what can be wrong in my setup would be highly appreciated.

Martin

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, February 3, 2020 9:03 PM, Martin Got <[hidden email]> wrote:

> OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6 based road warrior -
> client with dynamic IP. VPN works stable even using a link behind ISP NAT with ping latency from
> ~750ms to ~1100ms. Hope latency about 1000ms can't be related to the issue because all the tests
> with disconnected/connected VPN have been made on the same ISP channel.
>
> Any of the hosts from LAN (192.168.0.0/24) connected to the road warrior can reach external Internet
> hosts with disconnected VPN only.
>
> If VPN is connected, no one host from road warrior's LAN can reach any internet host.
> But any of LAN host can connect to road warrior's local services listening on lo0 even with VPN is
> connected or not.
>
> So I can't ping any Internet host from road warrior's LAN host if VPN is connected, but I can ping
> outside Internet hosts from road warriors' localhost itself. In PF ICMP set from any to any and ping
> works to any Internet host if VPN is disabled. I think it can't be bound to firewall rules, maybe
> timeouts of PF connection states. I'm completely not sure about it.
>
> When VPN is connected, all roadwarrior's LAN traffic is disabled for some reason, tcpdump shows
> requests and replies to LAN's host on enc0 but initiator (192.168.0.5) don't receive any replies. I
> don't know why?
>
> $ tcpdump -en -i pflog0
> 10:12:43.598785 rule 4/(match) match out on enc0: 10.0.1.2 > 8.8.8.8: icmp: echo request
> 10:12.43.598814 rule 563/(match) pass out on enc0: 10.0.1.2 > 8.8.8.8: icmp: echo request
> 10.12.44.277267 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: icmp: echo reply
> 10.12.47.277848 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: icmp: echo reply
>
> LAN clients' can reach road warrior's localhost bound services like DNS, proxy and it doesn't matter
> if VPN enabled or not, but no any outbound traffic with enabled VPN.
>
> Road warrior client has one NAT in PF to transmit packets from it's local IP address when VPN is
> disabled, and second NAT rule to transmit packets when IKEv2 VPN is connected like:
>
> $ pf.conf (client)
>
> ---NAT
>
> =======
>
> match out log on enc0 inet all nat-to 10.0.1.2
> match out log on rdomain 0 from {lo0, 192.168.0.0/24} to any nat-to (egress:0)
>
> ---ICMP
>
> ========
>
> pass in log quick on 192.168.0.1 inet proto icmp all icmp-type \
> echoreq, timex, paramprob, unreach code needfrag keep state
> pass out log inet proto icmp all
>
> ---Web
>
> =======
>
> pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
> port {www, https} modulate state
> pass out on enc0 inet proto tcp from 10.0.1.2 to any \
> port {www, https} flags S/SA modulate state
> pass out on (egress) inet proto tcp from (egress) to any \
> port {www, https} flags S/SA modulate state
>
> ---IPsec
>
> =========
>
> pass in log on (egress) inet proto esp from any to (egress) port {isakmp, ipsec-nat-t}
> pass out log on (egress) inet proto udp from (egress) to any port {isakmp, ipsec-nat-t} keep state
>
> pass in log on enc0 inet proto ipencap from any to (egress) keep state (if-bound)
> pass out log on enc0 inet proto ipencap from (egress) to any keep state (if-bound)
>
> pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
> pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
>
> ---
>
> ====
>
> /etc/sysctl.conf has
>
> =====================
>
> net.inet.ip.forwarding=1
>
> I bypass all the possible SA flows from/to road warrior's LAN in /etc/ipsec.conf, and all traffic
> from/to road warrior's localhost services so DNS works as expected (DNS listens on road warrior's
> localhost and all queries were redirected by rdr-to rule in PF).
>
> $ /etc/ipsec.conf (client)
> flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass
>
> flow from 127.0.0.1/32 to 192.168.0.0/24 type bypass
> flow from 192.168.0.0/24 to 127.0.0.1/32 type bypass
> flow from 192.168.0.0/24 to 192.168.0.0/24 type bypass
>
> $ /etc/iked.conf (client)
> ikev2 "road-warrior" active esp \
> from 0.0.0.0/0 to 0.0.0.0/0 \
> local 1.2.3.4 peer 4.3.2.1 \
> srcid roadw.vpn dstid srv.vpn \
> ikelifetime 80m lifetime 100m bytes 256m \
> tag "IKED" \
> tap "enc0"
>
> rcctl -f start iked (client)
>
> =============================
>
> iked(OK)
>
> ipsecctl -f /etc/ipsec.conf (client)
>
> =====================================
>
> ipsecctl -sa (client)
>
> ======================
>
> FLOWS:
> flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn dstid FQDN/srv.vpn type
>
> use
> flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass
> flow esp in from 192.168.0.0/24 to 127.0.0.1 type bypass
> flow esp in from 127.0.0.1 to 192.168.0.0/24 type bypass
> flow esp in from 127.0.0.1 to 127.0.0.1 type bypass
>
> flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn dstid FQDN/srv.vpn type
>
> require
> flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass
> flow esp out from 192.168.0.0/24 to 127.0.0.1 type bypass
> flow esp out from 127.0.0.1 to 192.168.0.0/24 type bypass
> flow esp out from 127.0.0.1 to 127.0.0.1 type bypass
>
> SAD:
> esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0xe34780e9 auth hmac-sha2-512 enc aes-256
> esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0xe75f7182 auth hmac-sha2-512 enc aes-256
>
> /etc/iked.conf (server)
>
> ========================
>
> ikev2 "server" passive esp \
> from 0.0.0.0/0 to 10.0.1.0/24 \
> local 4.3.2.1 peer any \
> srcid srv.vpn \
> ikelifetime 140m lifetime 200m bytes 110m \
> tag "IKED" \
> tap "enc0"


Reply | Threaded
Open this post in threaded view
|

Re: No traffic from/to road warrior's LAN hosts when IKEv2 VPN is connected

Martin Got
In reply to this post by Martin Got
I can even ping any internet host from road warrior's LAN interface when iked is connected:

$ ping -I 192.168.0.1 remote_host.com -> works as should be

But no any traffic from 192.168.0.10 host except successful DNS queries/responses from/to Road Warrior's local DNS resolver.

$ telnet remote_host.com 80 -> from 192.168.0.10 LAN host is always fail. I can see ACKs from remote_host.com 80 from IPsec virtual 10.0.1.2 to 192.168.0.10:80, but no connection.

All traffic goes trough Road Warrior's global VPN NAT rule when VPN is connected:

match out log on enc0 inet all nat-to 10.0.1.2

OR trough egress when VPN is disconnected:

match out log on egress from {lo0, 192.168.0.0/24} to any nat-to (egress:0)

# Outgoing www, https traffic
pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
port {www, https} modulate state
pass out on enc0 inet proto tcp from 10.0.1.2 to any \
port {www, https} flags S/SA modulate state
pass out on (egress) inet proto tcp from (egress) to any \
port {www, https} flags S/SA modulate state

When Road Warrior's VPN is disconnected, any LAN client can connect any internet host as usual.

Please advice.

Martin

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, February 3, 2020 9:03 PM, Martin Got <[hidden email]> wrote:

> OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6 based road warrior -
> client with dynamic IP. VPN works stable even using a link behind ISP NAT with ping latency from
> ~750ms to ~1100ms. Hope latency about 1000ms can't be related to the issue because all the tests
> with disconnected/connected VPN have been made on the same ISP channel.
>
> Any of the hosts from LAN (192.168.0.0/24) connected to the road warrior can reach external Internet
> hosts with disconnected VPN only.
>
> If VPN is connected, no one host from road warrior's LAN can reach any internet host.
> But any of LAN host can connect to road warrior's local services listening on lo0 even with VPN is
> connected or not.
>
> So I can't ping any Internet host from road warrior's LAN host if VPN is connected, but I can ping
> outside Internet hosts from road warriors' localhost itself. In PF ICMP set from any to any and ping
> works to any Internet host if VPN is disabled. I think it can't be bound to firewall rules, maybe
> timeouts of PF connection states. I'm completely not sure about it.
>
> When VPN is connected, all roadwarrior's LAN traffic is disabled for some reason, tcpdump shows
> requests and replies to LAN's host on enc0 but initiator (192.168.0.5) don't receive any replies. I
> don't know why?
>
> $ tcpdump -en -i pflog0
> 10:12:43.598785 rule 4/(match) match out on enc0: 10.0.1.2 > 8.8.8.8: icmp: echo request
> 10:12.43.598814 rule 563/(match) pass out on enc0: 10.0.1.2 > 8.8.8.8: icmp: echo request
> 10.12.44.277267 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: icmp: echo reply
> 10.12.47.277848 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: icmp: echo reply
>
> LAN clients' can reach road warrior's localhost bound services like DNS, proxy and it doesn't matter
> if VPN enabled or not, but no any outbound traffic with enabled VPN.
>
> Road warrior client has one NAT in PF to transmit packets from it's local IP address when VPN is
> disabled, and second NAT rule to transmit packets when IKEv2 VPN is connected like:
>
> $ pf.conf (client)
>
> ---NAT
>
> =======
>
> match out log on enc0 inet all nat-to 10.0.1.2
> match out log on rdomain 0 from {lo0, 192.168.0.0/24} to any nat-to (egress:0)
>
> ---ICMP
>
> ========
>
> pass in log quick on 192.168.0.1 inet proto icmp all icmp-type \
> echoreq, timex, paramprob, unreach code needfrag keep state
> pass out log inet proto icmp all
>
> ---Web
>
> =======
>
> pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
> port {www, https} modulate state
> pass out on enc0 inet proto tcp from 10.0.1.2 to any \
> port {www, https} flags S/SA modulate state
> pass out on (egress) inet proto tcp from (egress) to any \
> port {www, https} flags S/SA modulate state
>
> ---IPsec
>
> =========
>
> pass in log on (egress) inet proto esp from any to (egress) port {isakmp, ipsec-nat-t}
> pass out log on (egress) inet proto udp from (egress) to any port {isakmp, ipsec-nat-t} keep state
>
> pass in log on enc0 inet proto ipencap from any to (egress) keep state (if-bound)
> pass out log on enc0 inet proto ipencap from (egress) to any keep state (if-bound)
>
> pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
> pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
>
> ---
>
> ====
>
> /etc/sysctl.conf has
>
> =====================
>
> net.inet.ip.forwarding=1
>
> I bypass all the possible SA flows from/to road warrior's LAN in /etc/ipsec.conf, and all traffic
> from/to road warrior's localhost services so DNS works as expected (DNS listens on road warrior's
> localhost and all queries were redirected by rdr-to rule in PF).
>
> $ /etc/ipsec.conf (client)
> flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass
>
> flow from 127.0.0.1/32 to 192.168.0.0/24 type bypass
> flow from 192.168.0.0/24 to 127.0.0.1/32 type bypass
> flow from 192.168.0.0/24 to 192.168.0.0/24 type bypass
>
> $ /etc/iked.conf (client)
> ikev2 "road-warrior" active esp \
> from 0.0.0.0/0 to 0.0.0.0/0 \
> local 1.2.3.4 peer 4.3.2.1 \
> srcid roadw.vpn dstid srv.vpn \
> ikelifetime 80m lifetime 100m bytes 256m \
> tag "IKED" \
> tap "enc0"
>
> rcctl -f start iked (client)
>
> =============================
>
> iked(OK)
>
> ipsecctl -f /etc/ipsec.conf (client)
>
> =====================================
>
> ipsecctl -sa (client)
>
> ======================
>
> FLOWS:
> flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn dstid FQDN/srv.vpn type
>
> use
> flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass
> flow esp in from 192.168.0.0/24 to 127.0.0.1 type bypass
> flow esp in from 127.0.0.1 to 192.168.0.0/24 type bypass
> flow esp in from 127.0.0.1 to 127.0.0.1 type bypass
>
> flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 4.3.2.1 srcid FQDN/roadw.vpn dstid FQDN/srv.vpn type
>
> require
> flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass
> flow esp out from 192.168.0.0/24 to 127.0.0.1 type bypass
> flow esp out from 127.0.0.1 to 192.168.0.0/24 type bypass
> flow esp out from 127.0.0.1 to 127.0.0.1 type bypass
>
> SAD:
> esp tunnel from 4.3.2.1 to 1.2.3.4 spi 0xe34780e9 auth hmac-sha2-512 enc aes-256
> esp tunnel from 1.2.3.4 to 4.3.2.1 spi 0xe75f7182 auth hmac-sha2-512 enc aes-256
>
> /etc/iked.conf (server)
>
> ========================
>
> ikev2 "server" passive esp \
> from 0.0.0.0/0 to 10.0.1.0/24 \
> local 4.3.2.1 peer any \
> srcid srv.vpn \
> ikelifetime 140m lifetime 200m bytes 110m \
> tag "IKED" \
> tap "enc0"