Discussion:
iked : pf.conf rule for outgoing traffic
Thuban
2018-12-02 18:16:09 UTC
Permalink
Hi,
I need help to write a correct rule in pf.conf.

I want :

A -----> B ------> web

The appearing IP of A is the B's one on the web.

I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.

iked.conf on A :

ikev2 active ipcomp esp \
from 192.168.100.0/16 to 0.0.0.0/0 \
peer "xx.xx.xx.xx" \
srcid "***@moria.lan" \
dstid "B-hostname.tld" \
tag IKED

iked.conf on B :

ikev2 "warrior" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local xx.xx.xx.xx peer any \
srcid "B-hostname.tld" \
tag IKED

Auth works as expected :

# iked -vvd
...
sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
...


But I can't reach internet from A through B.

Here is the pf.conf on B (at least a small part of it)

pass out on egress \
from any to any tagged IKED \
nat-to (egress)


I guess the issue is in my pf.conf.
What do you think ?
Any advice?

Regards.
--
thuban
Thuban
2018-12-06 10:53:14 UTC
Permalink
Post by Thuban
Hi,
I need help to write a correct rule in pf.conf.
A -----> B ------> web
The appearing IP of A is the B's one on the web.
I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.
ikev2 active ipcomp esp \
from 192.168.100.0/16 to 0.0.0.0/0 \
peer "xx.xx.xx.xx" \
dstid "B-hostname.tld" \
tag IKED
ikev2 "warrior" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local xx.xx.xx.xx peer any \
srcid "B-hostname.tld" \
tag IKED
# iked -vvd
..
sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
..
But I can't reach internet from A through B.
Here is the pf.conf on B (at least a small part of it)
pass out on egress \
from any to any tagged IKED \
nat-to (egress)
I'm still stuck at the same point.
Can someone give me an example of a working configuration natting ot
Internet?

Regards.
Stuart Henderson
2018-12-06 13:44:50 UTC
Permalink
Post by Thuban
Post by Thuban
Hi,
I need help to write a correct rule in pf.conf.
A -----> B ------> web
The appearing IP of A is the B's one on the web.
I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.
ikev2 active ipcomp esp \
from 192.168.100.0/16 to 0.0.0.0/0 \
peer "xx.xx.xx.xx" \
dstid "B-hostname.tld" \
tag IKED
ikev2 "warrior" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local xx.xx.xx.xx peer any \
srcid "B-hostname.tld" \
tag IKED
# iked -vvd
..
sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
..
But I can't reach internet from A through B.
Here is the pf.conf on B (at least a small part of it)
pass out on egress \
from any to any tagged IKED \
nat-to (egress)
I'm still stuck at the same point.
Can someone give me an example of a working configuration natting ot
Internet?
I used this,

pass in on enc0 inet from $some_net
pass out quick on egress inet received-on enc0 nat-to $some_address

Also I don't remember what you've already said you checked, but
make sure you have sysctl net.inet.ip.forwarding=1.
Thuban
2018-12-07 09:00:07 UTC
Permalink
Post by Stuart Henderson
Post by Thuban
Post by Thuban
Hi,
I need help to write a correct rule in pf.conf.
A -----> B ------> web
The appearing IP of A is the B's one on the web.
I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.
ikev2 active ipcomp esp \
from 192.168.100.0/16 to 0.0.0.0/0 \
peer "xx.xx.xx.xx" \
dstid "B-hostname.tld" \
tag IKED
ikev2 "warrior" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local xx.xx.xx.xx peer any \
srcid "B-hostname.tld" \
tag IKED
# iked -vvd
..
sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
..
But I can't reach internet from A through B.
Here is the pf.conf on B (at least a small part of it)
pass out on egress \
from any to any tagged IKED \
nat-to (egress)
I'm still stuck at the same point.
Can someone give me an example of a working configuration natting ot
Internet?
I used this,
pass in on enc0 inet from $some_net
pass out quick on egress inet received-on enc0 nat-to $some_address
Also I don't remember what you've already said you checked, but
make sure you have sysctl net.inet.ip.forwarding=1.
Thank you.
Yes, I do have ip.forwarding=1.

I'm confused how to replace "$some_address". Isn't it "(egress)" ?

Regards.
Radek
2018-12-07 16:48:22 UTC
Permalink
Post by Thuban
I'm confused how to replace "$some_address". Isn't it "(egress)" ?
"(egress)" or your_WAN_IP

On Fri, 7 Dec 2018 10:00:07 +0100
Post by Thuban
Post by Stuart Henderson
Post by Thuban
Post by Thuban
Hi,
I need help to write a correct rule in pf.conf.
A -----> B ------> web
The appearing IP of A is the B's one on the web.
I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.
ikev2 active ipcomp esp \
from 192.168.100.0/16 to 0.0.0.0/0 \
peer "xx.xx.xx.xx" \
dstid "B-hostname.tld" \
tag IKED
ikev2 "warrior" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local xx.xx.xx.xx peer any \
srcid "B-hostname.tld" \
tag IKED
# iked -vvd
..
sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
..
But I can't reach internet from A through B.
Here is the pf.conf on B (at least a small part of it)
pass out on egress \
from any to any tagged IKED \
nat-to (egress)
I'm still stuck at the same point.
Can someone give me an example of a working configuration natting ot
Internet?
I used this,
pass in on enc0 inet from $some_net
pass out quick on egress inet received-on enc0 nat-to $some_address
Also I don't remember what you've already said you checked, but
make sure you have sysctl net.inet.ip.forwarding=1.
Thank you.
Yes, I do have ip.forwarding=1.
I'm confused how to replace "$some_address". Isn't it "(egress)" ?
Regards.
--
radek
Stuart Henderson
2018-12-10 18:19:41 UTC
Permalink
Post by Thuban
Post by Stuart Henderson
Post by Thuban
Post by Thuban
Hi,
I need help to write a correct rule in pf.conf.
A -----> B ------> web
The appearing IP of A is the B's one on the web.
I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.
ikev2 active ipcomp esp \
from 192.168.100.0/16 to 0.0.0.0/0 \
peer "xx.xx.xx.xx" \
dstid "B-hostname.tld" \
tag IKED
ikev2 "warrior" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local xx.xx.xx.xx peer any \
srcid "B-hostname.tld" \
tag IKED
# iked -vvd
..
sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1'
..
But I can't reach internet from A through B.
Here is the pf.conf on B (at least a small part of it)
pass out on egress \
from any to any tagged IKED \
nat-to (egress)
I'm still stuck at the same point.
Can someone give me an example of a working configuration natting ot
Internet?
I used this,
pass in on enc0 inet from $some_net
pass out quick on egress inet received-on enc0 nat-to $some_address
Also I don't remember what you've already said you checked, but
make sure you have sysctl net.inet.ip.forwarding=1.
Thank you.
Yes, I do have ip.forwarding=1.
I'm confused how to replace "$some_address". Isn't it "(egress)" ?
Regards.
It depends on what you want - I was just giving you the working example
you asked for :-)

in my case I want to nat to a specific address, and not track the
address/es on any egress interfaces.

Loading...