Discussion:
Iked troubleshooting
(too old to reply)
Aaron
2018-03-12 12:02:21 UTC
Permalink
Raw Message
Hi all,

I’m having an issue with iked. I’m assuming it something trivial but I can’t seem to figure it out. I’ve setup an ipsec connection between my home edge gateway running 6.2 and an instance I setup in the cloud also running 6.2
So I’ve got the tunnel established and my home gateway which has multiple interfaces is reachable. Between the two gateways (my home and the cloud instance) all the interfaces are reachable, but if from the cloud instance I try and ping an IP in a subnet behind my home gateway I get no response and if I try and ping the cloud gateway from one of those subnets I also get no response.
I’ve ran tcpdump on the enc0 interface on my home gateway while pinging the cloud instance from one of my internal subnets, I can see the echo requests AND the replies on the enc0 interface but the replies seem to disappear at this point. I see no blocks in my firewall log.

Cloud gateway iked.conf:
ikev2 passive ipcomp esp \
from 10.0.0.0/8 to cloudIP \
from cloudIP to 10.0.0.0/8 \
local cloudIP peer any \
srcid MYCLOUDFQDN \
psk "MYPSK" \
tag IKED

home gateway iked.conf:
ikev2 active ipcomp esp \
from 10.0.0.0/8 to cloudIP \
from cloudIP to 10.0.0.0/8 \
peer cloudIP \
srcid MYHOMEFQDN \
psk MYPSK \
tag IKED

I’ve tried “set skip on enc0”

snippet from my home gateway pf.conf:
pass in quick log on $if_extern inet proto udp from ! <internal> to $pub_ip0 port $svc_ipsec_portgrp
pass in quick log on $if_extern inet proto esp from ! <internal> to $pub_ip0

pass out log on $if_extern inet proto esp
pass in log on enc0 inet proto ipencap from $cloud_ip to $pub_ip0 keep state (if-bound)
pass in log on enc0 inet proto {tcp udp icmp} from any to any keep state (if-bound) tagged IKED tag INTERNAL
pass in log on enc0 inet proto {tcp udp icmp } from any to self
pass out log on enc0 inet from any to <internal> keep state (if-bound) tag INTERNAL
pass out quick log on enc0 inet from any to $cloud_ip
[…] further down […]
pass out tagged INTERNAL

Any idea what’s going on?

Sent from my iPhone
Bobby Johnson
2018-03-13 15:13:56 UTC
Permalink
Raw Message
Maybe try a more open subnet in the from and to, at least for testing.
Something like this - from 0.0.0.0/0 to 0.0.0.0/0
Post by Aaron
Hi all,
I’m having an issue with iked. I’m assuming it something trivial but I
can’t seem to figure it out. I’ve setup an ipsec connection between my home
edge gateway running 6.2 and an instance I setup in the cloud also running
6.2
So I’ve got the tunnel established and my home gateway which has multiple
interfaces is reachable. Between the two gateways (my home and the cloud
instance) all the interfaces are reachable, but if from the cloud instance
I try and ping an IP in a subnet behind my home gateway I get no response
and if I try and ping the cloud gateway from one of those subnets I also
get no response.
I’ve ran tcpdump on the enc0 interface on my home gateway while pinging
the cloud instance from one of my internal subnets, I can see the echo
requests AND the replies on the enc0 interface but the replies seem to
disappear at this point. I see no blocks in my firewall log.
ikev2 passive ipcomp esp \
from 10.0.0.0/8 to cloudIP \
from cloudIP to 10.0.0.0/8 \
local cloudIP peer any \
srcid MYCLOUDFQDN \
psk "MYPSK" \
tag IKED
ikev2 active ipcomp esp \
from 10.0.0.0/8 to cloudIP \
from cloudIP to 10.0.0.0/8 \
peer cloudIP \
srcid MYHOMEFQDN \
psk MYPSK \
tag IKED
I’ve tried “set skip on enc0”
pass in quick log on $if_extern inet proto udp from ! <internal> to
$pub_ip0 port $svc_ipsec_portgrp
pass in quick log on $if_extern inet proto esp from ! <internal> to $pub_ip0
pass out log on $if_extern inet proto esp
pass in log on enc0 inet proto ipencap from $cloud_ip to $pub_ip0 keep state (if-bound)
pass in log on enc0 inet proto {tcp udp icmp} from any to any keep state
(if-bound) tagged IKED tag INTERNAL
pass in log on enc0 inet proto {tcp udp icmp } from any to self
pass out log on enc0 inet from any to <internal> keep state (if-bound) tag INTERNAL
pass out quick log on enc0 inet from any to $cloud_ip
[…] further down […]
pass out tagged INTERNAL
Any idea what’s going on?
Sent from my iPhone
Loading...