Trouble getting ipsec.conf 'tag' working in 5.3

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Trouble getting ipsec.conf 'tag' working in 5.3

Rogier Krieger
Dear list,

after re-installing a machine with 5.3 (i386), I wanted to tighten up the
filtering rules. To that end, I added a 'block log' rule near the top of my
rules. This appears to be unexpectedly effective.

I'm having trouble with my IPsec VPN to a VoIP PBX. Although my SAs come up
as expected, outbound traffic appears to be blocked on enc0. What bugs me
is that the 'tag' and 'tagged' keywords do not seem to work as I'd expect
from ipsec.conf(5).

I created the SAs with the 'PBX' tag and would like to be so lazy as to
just use:
    pass on enc keep state (if-bound) tagged PBX

Surprisingly, I can receive incoming pings from the PBX (172.24.8.0/24)
with this setup, but am unable to ping the address from my own net (
192.128.10.0/24). I get this with the fairly minimal ruleset added below.

Of course, I could add rules listing the address ranges in question, but I
had hoped to use the 'PBX' tag for that instead. Did I misread or
misunderstand ipsec.conf(5) or am I missing something else entirely?

Insight greatly appreciated,

Regards,

Rogier


# tcpdump -eee -ttt -ni pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Jun 10 22:42:39.513643 rule 0/(match) block out on enc0: 192.168.10.102 >
172.24.8.1: icmp: echo request


# cat /etc/pf.conf
if_int="vlan801"
pbx_net="172.24.8.0/24"
noc_net="172.24.10.0/24"
table <internal> persist { $if_int:network, $pbx_net, $noc_net }

set block-policy return
block log
set skip on { lo sk0 }


# Outbound traffic
match out on egress inet nat-to (egress:0) tagged OUT
pass out on egress from (egress)

# IPv6 tunnel
pass out on egress proto tcp from (egress) to any port 3874     # TIC
pass out on egress proto udp from (egress) to any port 3740     # heartbeat
pass     on egress proto ipv6
pass     on egress inet  proto icmp
pass     on egress inet6 proto icmp6

# IPsec tunnel
pass on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass on egress proto esp
pass on enc0 keep state (if-bound) tagged PBX

# SSH
pass in on $if_int proto tcp from ($if_int:network) to ($if_int) \
        port ssh

# Internal traffic
match in on $if_int from ($if_int:network) to !<internal> tag OUT
pass on $if_int


# cat /etc/ipsec.conf
id   = "b2"
gw   = "fxp0"
gw6  = "gif6"
net  = "192.168.10.0/24"

# PBX access
pbx_id  = "weber"
pbx_gw  = [removed]
pbx_net = "172.24.8.0/24"
ike esp from $net to $pbx_net peer $pbx_gw srcid $id dstid $pbx_id tag PBX


# cat /var/run/dmesg.boot
OpenBSD 5.3 (GENERIC) #50: Tue Mar 12 18:35:23 MDT 2013
    [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,CNXT-ID,xTPR,PERF
real mem  = 1071374336 (1021MB)
avail mem = 1042882560 (994MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/22/04, BIOS32 rev. 0 @ 0xf0010,
SMBIOS rev. 2.3 @ 0xfbe60 (76 entries)
bios0: vendor Intel Corp. version "BF86510A.86A.0053.P13.0401220953" date
01/22/2004
bios0: Intel Corporation D865GBF
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC ASF! TCPA WDDT
acpi0: wakeup devices TANA(S4) P0P3(S4) AC97(S4) USB0(S4) USB1(S4) USB2(S4)
USB3(S4) USB7(S4) UAR1(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 99MHz
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus -1 (P0P2)
acpiprt3 at acpi0: bus 1 (P0P3)
acpicpu0 at acpi0
acpipwrres0 at acpi0: URP1
acpipwrres1 at acpi0: FDDP
acpipwrres2 at acpi0: LPTP
acpibtn0 at acpi0: SLPB
bios0: ROM list: 0xc0000/0xa200! 0xca800/0x800 0xcb000/0x1000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xf0000000, size 0x8000000
inteldrm0 at vga1: apic 1 int 16
drm0 at inteldrm0
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 1 int
16
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 1 int
19
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 1 int
18
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 1 int
16
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 1
int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci1 at ppb0 bus 1
skc0 at pci1 dev 0 function 0 "3Com 3c940" rev 0x10, Yukon (0x1): apic 1
int 21
sk0 at skc0 port A: address 00:0a:5e:54:48:99
eephy0 at sk0 phy 0: 88E1011 Gigabit PHY, rev. 3
fxp0 at pci1 dev 8 function 0 "Intel PRO/100 VE" rev 0x01, i82562: apic 1
int 20, address 00:0c:f1:b9:54:00
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 "Intel 82801EB SATA" rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 1 int 18 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: <SAMSUNG HD253GJ>
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 1
int 17
iic0 at ichiic0
adt0 at iic0 addr 0x2e: emc6d100 rev 0x65
spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM non-parity PC3200CL3.0
spdmem1 at iic0 addr 0x52: 512MB DDR SDRAM non-parity PC3200CL3.0
auich0 at pci0 dev 31 function 5 "Intel 82801EB/ER AC97" rev 0x02: apic 1
int 17, ICH5 AC97
ac97: codec id 0x41445375 (Analog Devices AD1985)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (a413237c58f6c650.a) swap on wd0b dump on wd0b

Reply | Threaded
Open this post in threaded view
|

Re: Trouble getting ipsec.conf 'tag' working in 5.3

Rogier Krieger
A kind soul (thank you) suggested I add the following to my ruleset:
    pass quick on enc0 proto ipencap

Unfortunately, that does still not allow the inner outbound traffic to pass.


From what I can tell, the original ruleset already let ipencap traffic pass
on enc0. I verified with tcpdump and by separately logging the pass rules.
Had ipencap been the problem, tcpdump on pflog1 would show a match on rule
#11 (instead of the 'tagged PBX' rule #12).

Pinging or UDP traffic to the 172.24.8.0/24 subnet fails, whereas incoming
traffic from the other side is matched to the 'tagged PBX' rule (#12). I've
made sure the tagging in #14 does not occur for traffic to the PBX (I added
its net to the <internal> table.

I expected ipsec to automagically add the 'PBX' tag to traffic it gets
handed (in this case, from $if_int) when that traffic fits its SAs. I
further expected pf to need no more than a simple 'pass on enc0 tagged PBX'
after that. If I was too optimistic or misunderstood ipsec.conf(5), a
cluebat is more than welcome. If this is something that should work, I'll
try with -current as well.

Regards,

Rogier


# tcpdump -ni pflog0 -s1600 -eee -ttt -v
Jun 11 13:36:47.049079 rule 0/(match) [uid 0, pid 17691] block out on enc0:
192.168.10.101.63617 > 172.24.8.56.5060: [udp sum ok] udp 593 (ttl 63, id
40730, len 621, bad cksum 5a08!)
Jun 11 13:40:03.515813 rule 0/(match) [uid 0, pid 17691] block out on enc0:
192.168.10.102 > 172.24.8.55: icmp: echo request (id:0001 seq:411) (ttl
127, id 23969, len 60, bad cksum 5dc2!)


# tcpdump -ni pflog1 -s1600 -eee -ttt
Jun 11 13:39:28.142858 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:28.142883 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request
Jun 11 13:39:29.149843 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:29.149865 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request
Jun 11 13:39:30.159693 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:30.159715 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request


# pfctl -sr -vv | grep -e '^@'
@0 block return log all
@1 match out on egress inet all tagged OUT nat-to (egress:0:1) round-robin
@2 pass out on egress from (egress:3) to any flags S/SA
@3 pass out on egress proto udp from (egress:3) to any port = 3740
@4 pass out on egress inet6 from (vlan801:network:1) to any flags S/SA
@5 pass on egress proto udp from any to any port = 500
@6 pass on egress proto udp from any to any port = 4500
@7 pass on egress proto ipv6 all
@8 pass on egress inet proto icmp all
@9 pass on egress inet6 proto ipv6-icmp all
@10 pass on egress proto esp all
@11 pass log (all, to pflog1) on enc0 proto ipencap all
@12 pass log (all, to pflog1) on enc0 all flags S/SA keep state (if-bound)
tagged PBX
@13 pass in on vlan801 proto tcp from (vlan801:network:5) to (vlan801:9)
port = 22 flags S/SA
@14 match in on vlan801 from (vlan801:network:5) to ! <internal:7> tag OUT
@15 pass on vlan801 all flags S/SA

Reply | Threaded
Open this post in threaded view
|

Re: Trouble getting ipsec.conf 'tag' working in 5.3

Maxim Bourmistrov-5
Tried to tag pkts on $int_if ? Eg

match in on $if_int from ($if_int:network) to $pbx_net tag PBX

//mxb

On 11 jun 2013, at 14:38, Rogier Krieger <[hidden email]> wrote:

> A kind soul (thank you) suggested I add the following to my ruleset:
>    pass quick on enc0 proto ipencap
>
> Unfortunately, that does still not allow the inner outbound traffic to pass.
>
>
> From what I can tell, the original ruleset already let ipencap traffic pass
> on enc0. I verified with tcpdump and by separately logging the pass rules.
> Had ipencap been the problem, tcpdump on pflog1 would show a match on rule
> #11 (instead of the 'tagged PBX' rule #12).
>
> Pinging or UDP traffic to the 172.24.8.0/24 subnet fails, whereas incoming
> traffic from the other side is matched to the 'tagged PBX' rule (#12). I've
> made sure the tagging in #14 does not occur for traffic to the PBX (I added
> its net to the <internal> table.
>
> I expected ipsec to automagically add the 'PBX' tag to traffic it gets
> handed (in this case, from $if_int) when that traffic fits its SAs. I
> further expected pf to need no more than a simple 'pass on enc0 tagged PBX'
> after that. If I was too optimistic or misunderstood ipsec.conf(5), a
> cluebat is more than welcome. If this is something that should work, I'll
> try with -current as well.
>
> Regards,
>
> Rogier
>
>
> # tcpdump -ni pflog0 -s1600 -eee -ttt -v
> Jun 11 13:36:47.049079 rule 0/(match) [uid 0, pid 17691] block out on enc0:
> 192.168.10.101.63617 > 172.24.8.56.5060: [udp sum ok] udp 593 (ttl 63, id
> 40730, len 621, bad cksum 5a08!)
> Jun 11 13:40:03.515813 rule 0/(match) [uid 0, pid 17691] block out on enc0:
> 192.168.10.102 > 172.24.8.55: icmp: echo request (id:0001 seq:411) (ttl
> 127, id 23969, len 60, bad cksum 5dc2!)
>
>
> # tcpdump -ni pflog1 -s1600 -eee -ttt
> Jun 11 13:39:28.142858 rule 12/(match) pass in on enc0: 172.24.8.1 >
> 192.168.10.102: icmp: echo request (encap)
> Jun 11 13:39:28.142883 rule 12/(match) pass in on enc0: 172.24.8.1 >
> 192.168.10.102: icmp: echo request
> Jun 11 13:39:29.149843 rule 12/(match) pass in on enc0: 172.24.8.1 >
> 192.168.10.102: icmp: echo request (encap)
> Jun 11 13:39:29.149865 rule 12/(match) pass in on enc0: 172.24.8.1 >
> 192.168.10.102: icmp: echo request
> Jun 11 13:39:30.159693 rule 12/(match) pass in on enc0: 172.24.8.1 >
> 192.168.10.102: icmp: echo request (encap)
> Jun 11 13:39:30.159715 rule 12/(match) pass in on enc0: 172.24.8.1 >
> 192.168.10.102: icmp: echo request
>
>
> # pfctl -sr -vv | grep -e '^@'
> @0 block return log all
> @1 match out on egress inet all tagged OUT nat-to (egress:0:1) round-robin
> @2 pass out on egress from (egress:3) to any flags S/SA
> @3 pass out on egress proto udp from (egress:3) to any port = 3740
> @4 pass out on egress inet6 from (vlan801:network:1) to any flags S/SA
> @5 pass on egress proto udp from any to any port = 500
> @6 pass on egress proto udp from any to any port = 4500
> @7 pass on egress proto ipv6 all
> @8 pass on egress inet proto icmp all
> @9 pass on egress inet6 proto ipv6-icmp all
> @10 pass on egress proto esp all
> @11 pass log (all, to pflog1) on enc0 proto ipencap all
> @12 pass log (all, to pflog1) on enc0 all flags S/SA keep state (if-bound)
> tagged PBX
> @13 pass in on vlan801 proto tcp from (vlan801:network:5) to (vlan801:9)
> port = 22 flags S/SA
> @14 match in on vlan801 from (vlan801:network:5) to ! <internal:7> tag OUT
> @15 pass on vlan801 all flags S/SA

Reply | Threaded
Open this post in threaded view
|

Re: Trouble getting ipsec.conf 'tag' working in 5.3

Rogier Krieger
On Tue, Jun 11, 2013 at 3:26 PM, mxb <[hidden email]> wrote:

> Tried to tag pkts on $int_if ? Eg
>
match in on $if_int from ($if_int:network) to $pbx_net tag PBX
>

Yes and that works. But shouldn't it already be covered by the 'PBX' tag in
ipsec.conf?
That's what I expected and what I'm trying to figure out.

Thanks for the suggestion, though.

Regards,

Rogier

Reply | Threaded
Open this post in threaded view
|

Re: Trouble getting ipsec.conf 'tag' working in 5.3

Maxim Bourmistrov-5
From ipsec.conf(5):
"… Add a pf(4) tag to all packets of phase 2 SAs created for this connection. …"

As I understand it, in your case or any other cases, it is about tagging pkts from one peer to another.
Eg. from one vpn_gw to another.

But this is my understanding of this. I might be wrong here.

 
On 11 jun 2013, at 15:37, Rogier Krieger <[hidden email]> wrote:

> On Tue, Jun 11, 2013 at 3:26 PM, mxb <[hidden email]> wrote:
>
>> Tried to tag pkts on $int_if ? Eg
>>
> match in on $if_int from ($if_int:network) to $pbx_net tag PBX
>>
>
> Yes and that works. But shouldn't it already be covered by the 'PBX' tag in
> ipsec.conf?
> That's what I expected and what I'm trying to figure out.
>
> Thanks for the suggestion, though.
>
> Regards,
>
> Rogier