iked : pf.conf rule for outgoing traffic

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

iked : pf.conf rule for outgoing traffic

Thuban
Hi,
I need help to write a correct rule in pf.conf.

I want :

A ----->  B ------> web

The appearing IP of A is the B's one on the web.

I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.

iked.conf on A :

        ikev2 active ipcomp esp \
        from 192.168.100.0/16 to 0.0.0.0/0 \
        peer "xx.xx.xx.xx" \
        srcid "[hidden email]" \
        dstid "B-hostname.tld" \
        tag IKED

iked.conf on B :

        ikev2 "warrior" passive esp \
        from 0.0.0.0/0 to 0.0.0.0/0 \
        local xx.xx.xx.xx peer any \
        srcid "B-hostname.tld" \
        tag IKED

Auth works as expected :

# iked -vvd
...
sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
...


But I can't reach internet from A through B.

Here is the pf.conf on B (at least a small part of it)

    pass out on egress \
        from any to any tagged IKED \
        nat-to (egress)


I guess the issue is in my pf.conf.
What do you think ?
Any advice?

Regards.

--
    thuban

Reply | Threaded
Open this post in threaded view
|

Re: iked : pf.conf rule for outgoing traffic

Thuban
* Thuban <[hidden email]> le [02-12-2018 19:16:09 +0100]:

> Hi,
> I need help to write a correct rule in pf.conf.
>
> I want :
>
> A ----->  B ------> web
>
> The appearing IP of A is the B's one on the web.
>
> I managed to configure iked on A and B using default pubkeys according
> to Stuart Henderson advices.
>
> iked.conf on A :
>
> ikev2 active ipcomp esp \
> from 192.168.100.0/16 to 0.0.0.0/0 \
> peer "xx.xx.xx.xx" \
> srcid "[hidden email]" \
> dstid "B-hostname.tld" \
> tag IKED
>
> iked.conf on B :
>
> ikev2 "warrior" passive esp \
> from 0.0.0.0/0 to 0.0.0.0/0 \
> local xx.xx.xx.xx peer any \
> srcid "B-hostname.tld" \
> tag IKED
>
> Auth works as expected :
>
> # iked -vvd
> ..
> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
> ..
>
>
> But I can't reach internet from A through B.
>
> Here is the pf.conf on B (at least a small part of it)
>
>     pass out on egress \
>         from any to any tagged IKED \
>         nat-to (egress)
>
>

I'm still stuck at the same point.
Can someone give me an example of a working configuration natting ot
Internet?

Regards.

Reply | Threaded
Open this post in threaded view
|

Re: iked : pf.conf rule for outgoing traffic

Stuart Henderson
On 2018-12-06, Thuban <[hidden email]> wrote:

> * Thuban <[hidden email]> le [02-12-2018 19:16:09 +0100]:
>> Hi,
>> I need help to write a correct rule in pf.conf.
>>
>> I want :
>>
>> A ----->  B ------> web
>>
>> The appearing IP of A is the B's one on the web.
>>
>> I managed to configure iked on A and B using default pubkeys according
>> to Stuart Henderson advices.
>>
>> iked.conf on A :
>>
>> ikev2 active ipcomp esp \
>> from 192.168.100.0/16 to 0.0.0.0/0 \
>> peer "xx.xx.xx.xx" \
>> srcid "[hidden email]" \
>> dstid "B-hostname.tld" \
>> tag IKED
>>
>> iked.conf on B :
>>
>> ikev2 "warrior" passive esp \
>> from 0.0.0.0/0 to 0.0.0.0/0 \
>> local xx.xx.xx.xx peer any \
>> srcid "B-hostname.tld" \
>> tag IKED
>>
>> Auth works as expected :
>>
>> # iked -vvd
>> ..
>> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
>> ..
>>
>>
>> But I can't reach internet from A through B.
>>
>> Here is the pf.conf on B (at least a small part of it)
>>
>>     pass out on egress \
>>         from any to any tagged IKED \
>>         nat-to (egress)
>>
>>
>
> I'm still stuck at the same point.
> Can someone give me an example of a working configuration natting ot
> Internet?

I used this,

pass in on enc0 inet from $some_net
pass out quick on egress inet received-on enc0 nat-to $some_address

Also I don't remember what you've already said you checked, but
make sure you have sysctl net.inet.ip.forwarding=1.


Reply | Threaded
Open this post in threaded view
|

Re: iked : pf.conf rule for outgoing traffic

Thuban
* Stuart Henderson <[hidden email]> le [06-12-2018 13:44:50 +0000]:

> On 2018-12-06, Thuban <[hidden email]> wrote:
> > * Thuban <[hidden email]> le [02-12-2018 19:16:09 +0100]:
> >> Hi,
> >> I need help to write a correct rule in pf.conf.
> >>
> >> I want :
> >>
> >> A ----->  B ------> web
> >>
> >> The appearing IP of A is the B's one on the web.
> >>
> >> I managed to configure iked on A and B using default pubkeys according
> >> to Stuart Henderson advices.
> >>
> >> iked.conf on A :
> >>
> >> ikev2 active ipcomp esp \
> >> from 192.168.100.0/16 to 0.0.0.0/0 \
> >> peer "xx.xx.xx.xx" \
> >> srcid "[hidden email]" \
> >> dstid "B-hostname.tld" \
> >> tag IKED
> >>
> >> iked.conf on B :
> >>
> >> ikev2 "warrior" passive esp \
> >> from 0.0.0.0/0 to 0.0.0.0/0 \
> >> local xx.xx.xx.xx peer any \
> >> srcid "B-hostname.tld" \
> >> tag IKED
> >>
> >> Auth works as expected :
> >>
> >> # iked -vvd
> >> ..
> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
> >> ..
> >>
> >>
> >> But I can't reach internet from A through B.
> >>
> >> Here is the pf.conf on B (at least a small part of it)
> >>
> >>     pass out on egress \
> >>         from any to any tagged IKED \
> >>         nat-to (egress)
> >>
> >>
> >
> > I'm still stuck at the same point.
> > Can someone give me an example of a working configuration natting ot
> > Internet?
>
> I used this,
>
> pass in on enc0 inet from $some_net
> pass out quick on egress inet received-on enc0 nat-to $some_address
>
> Also I don't remember what you've already said you checked, but
> make sure you have sysctl net.inet.ip.forwarding=1.
>

Thank you.
Yes, I do have ip.forwarding=1.

I'm confused how to replace "$some_address". Isn't it "(egress)" ?

Regards.

Reply | Threaded
Open this post in threaded view
|

Re: iked : pf.conf rule for outgoing traffic

Radek
> I'm confused how to replace "$some_address". Isn't it "(egress)" ?
"(egress)" or your_WAN_IP

On Fri, 7 Dec 2018 10:00:07 +0100
Thuban <[hidden email]> wrote:

> * Stuart Henderson <[hidden email]> le [06-12-2018 13:44:50 +0000]:
> > On 2018-12-06, Thuban <[hidden email]> wrote:
> > > * Thuban <[hidden email]> le [02-12-2018 19:16:09 +0100]:
> > >> Hi,
> > >> I need help to write a correct rule in pf.conf.
> > >>
> > >> I want :
> > >>
> > >> A ----->  B ------> web
> > >>
> > >> The appearing IP of A is the B's one on the web.
> > >>
> > >> I managed to configure iked on A and B using default pubkeys according
> > >> to Stuart Henderson advices.
> > >>
> > >> iked.conf on A :
> > >>
> > >> ikev2 active ipcomp esp \
> > >> from 192.168.100.0/16 to 0.0.0.0/0 \
> > >> peer "xx.xx.xx.xx" \
> > >> srcid "[hidden email]" \
> > >> dstid "B-hostname.tld" \
> > >> tag IKED
> > >>
> > >> iked.conf on B :
> > >>
> > >> ikev2 "warrior" passive esp \
> > >> from 0.0.0.0/0 to 0.0.0.0/0 \
> > >> local xx.xx.xx.xx peer any \
> > >> srcid "B-hostname.tld" \
> > >> tag IKED
> > >>
> > >> Auth works as expected :
> > >>
> > >> # iked -vvd
> > >> ..
> > >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
> > >> ..
> > >>
> > >>
> > >> But I can't reach internet from A through B.
> > >>
> > >> Here is the pf.conf on B (at least a small part of it)
> > >>
> > >>     pass out on egress \
> > >>         from any to any tagged IKED \
> > >>         nat-to (egress)
> > >>
> > >>
> > >
> > > I'm still stuck at the same point.
> > > Can someone give me an example of a working configuration natting ot
> > > Internet?
> >
> > I used this,
> >
> > pass in on enc0 inet from $some_net
> > pass out quick on egress inet received-on enc0 nat-to $some_address
> >
> > Also I don't remember what you've already said you checked, but
> > make sure you have sysctl net.inet.ip.forwarding=1.
> >
>
> Thank you.
> Yes, I do have ip.forwarding=1.
>
> I'm confused how to replace "$some_address". Isn't it "(egress)" ?
>
> Regards.
>


--
radek

Reply | Threaded
Open this post in threaded view
|

Re: iked : pf.conf rule for outgoing traffic

Stuart Henderson
In reply to this post by Thuban
On 2018-12-07, Thuban <[hidden email]> wrote:

> * Stuart Henderson <[hidden email]> le [06-12-2018 13:44:50 +0000]:
>> On 2018-12-06, Thuban <[hidden email]> wrote:
>> > * Thuban <[hidden email]> le [02-12-2018 19:16:09 +0100]:
>> >> Hi,
>> >> I need help to write a correct rule in pf.conf.
>> >>
>> >> I want :
>> >>
>> >> A ----->  B ------> web
>> >>
>> >> The appearing IP of A is the B's one on the web.
>> >>
>> >> I managed to configure iked on A and B using default pubkeys according
>> >> to Stuart Henderson advices.
>> >>
>> >> iked.conf on A :
>> >>
>> >> ikev2 active ipcomp esp \
>> >> from 192.168.100.0/16 to 0.0.0.0/0 \
>> >> peer "xx.xx.xx.xx" \
>> >> srcid "[hidden email]" \
>> >> dstid "B-hostname.tld" \
>> >> tag IKED
>> >>
>> >> iked.conf on B :
>> >>
>> >> ikev2 "warrior" passive esp \
>> >> from 0.0.0.0/0 to 0.0.0.0/0 \
>> >> local xx.xx.xx.xx peer any \
>> >> srcid "B-hostname.tld" \
>> >> tag IKED
>> >>
>> >> Auth works as expected :
>> >>
>> >> # iked -vvd
>> >> ..
>> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
>> >> ..
>> >>
>> >>
>> >> But I can't reach internet from A through B.
>> >>
>> >> Here is the pf.conf on B (at least a small part of it)
>> >>
>> >>     pass out on egress \
>> >>         from any to any tagged IKED \
>> >>         nat-to (egress)
>> >>
>> >>
>> >
>> > I'm still stuck at the same point.
>> > Can someone give me an example of a working configuration natting ot
>> > Internet?
>>
>> I used this,
>>
>> pass in on enc0 inet from $some_net
>> pass out quick on egress inet received-on enc0 nat-to $some_address
>>
>> Also I don't remember what you've already said you checked, but
>> make sure you have sysctl net.inet.ip.forwarding=1.
>>
>
> Thank you.
> Yes, I do have ip.forwarding=1.
>
> I'm confused how to replace "$some_address". Isn't it "(egress)" ?
>
> Regards.
>
>

It depends on what you want - I was just giving you the working example
you asked for :-)

in my case I want to nat to a specific address, and not track the
address/es on any egress interfaces.


Reply | Threaded
Open this post in threaded view
|

Re: iked : pf.conf rule for outgoing traffic

Thuban
* Stuart Henderson <[hidden email]> le [10-12-2018 18:19:41 +0000]:

> On 2018-12-07, Thuban <[hidden email]> wrote:
> > * Stuart Henderson <[hidden email]> le [06-12-2018 13:44:50 +0000]:
> >> On 2018-12-06, Thuban <[hidden email]> wrote:
> >> > * Thuban <[hidden email]> le [02-12-2018 19:16:09 +0100]:
> >> >> Hi,
> >> >> I need help to write a correct rule in pf.conf.
> >> >>
> >> >> I want :
> >> >>
> >> >> A ----->  B ------> web
> >> >>
> >> >> The appearing IP of A is the B's one on the web.
> >> >>
> >> >> I managed to configure iked on A and B using default pubkeys according
> >> >> to Stuart Henderson advices.
> >> >>
> >> >> iked.conf on A :
> >> >>
> >> >> ikev2 active ipcomp esp \
> >> >> from 192.168.100.0/16 to 0.0.0.0/0 \
> >> >> peer "xx.xx.xx.xx" \
> >> >> srcid "[hidden email]" \
> >> >> dstid "B-hostname.tld" \
> >> >> tag IKED
> >> >>
> >> >> iked.conf on B :
> >> >>
> >> >> ikev2 "warrior" passive esp \
> >> >> from 0.0.0.0/0 to 0.0.0.0/0 \
> >> >> local xx.xx.xx.xx peer any \
> >> >> srcid "B-hostname.tld" \
> >> >> tag IKED
> >> >>
> >> >> Auth works as expected :
> >> >>
> >> >> # iked -vvd
> >> >> ..
> >> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
> >> >> ..
> >> >>
> >> >>
> >> >> But I can't reach internet from A through B.
> >> >>
> >> >> Here is the pf.conf on B (at least a small part of it)
> >> >>
> >> >>     pass out on egress \
> >> >>         from any to any tagged IKED \
> >> >>         nat-to (egress)
> >> >>
> >> >>
> >> >
> >> > I'm still stuck at the same point.
> >> > Can someone give me an example of a working configuration natting ot
> >> > Internet?
> >>
> >> I used this,
> >>
> >> pass in on enc0 inet from $some_net
> >> pass out quick on egress inet received-on enc0 nat-to $some_address
> >>
> >> Also I don't remember what you've already said you checked, but
> >> make sure you have sysctl net.inet.ip.forwarding=1.
> >>
> >
> > Thank you.
> > Yes, I do have ip.forwarding=1.
> >
> > I'm confused how to replace "$some_address". Isn't it "(egress)" ?
> >
> > Regards.
> >
> >
>
> It depends on what you want - I was just giving you the working example
> you asked for :-)
>
> in my case I want to nat to a specific address, and not track the
> address/es on any egress interfaces.
>
>

Okay, got it, it works as expected.
Thank you :)