Discussion:
Iked trouble
(too old to reply)
Aaron
2018-03-12 12:40:43 UTC
Permalink
Hi all,

I’m having an issue with iked. I’m assuming it something trivial but I can’t seem to figure it out. I’ve setup an ipsec connection between my home edge gateway running 6.2 and an instance I setup in the cloud also running 6.2
So I’ve got the tunnel established and my home gateway which has multiple interfaces is reachable. Between the two gateways (my home and the cloud instance) all the interfaces are reachable, but if from the cloud instance I try and ping an IP in a subnet behind my home gateway I get no response and if I try and ping the cloud gateway from one of those subnets I also get no response.
I’ve ran tcpdump on the enc0 interface on my home gateway while pinging the cloud instance from one of my internal subnets, I can see the echo requests AND the replies on the enc0 interface but the replies seem to disappear at this point. I see no blocks in my firewall log.

Cloud gateway iked.conf:
ikev2 passive ipcomp esp \
from 10.0.0.0/8 to cloudIP \
from cloudIP to 10.0.0.0/8 \
local cloudIP peer any \
srcid MYCLOUDFQDN \
psk "MYPSK" \
tag IKED

home gateway iked.conf:
ikev2 active ipcomp esp \
from 10.0.0.0/8 to cloudIP \
from cloudIP to 10.0.0.0/8 \
peer cloudIP \
srcid MYHOMEFQDN \
psk MYPSK \
tag IKED

I’ve tried “set skip on enc0”

snippet from my home gateway pf.conf:
pass in quick log on $if_extern inet proto udp from ! <internal> to $pub_ip0 port $svc_ipsec_portgrp
pass in quick log on $if_extern inet proto esp from ! <internal> to $pub_ip0

pass out log on $if_extern inet proto esp
pass in log on enc0 inet proto ipencap from $cloud_ip to $pub_ip0 keep state (if-bound)
pass in log on enc0 inet proto {tcp udp icmp} from any to any keep state (if-bound) tagged IKED tag INTERNAL
pass in log on enc0 inet proto {tcp udp icmp } from any to self
pass out log on enc0 inet from any to <internal> keep state (if-bound) tag INTERNAL
pass out quick log on enc0 inet from any to $cloud_ip
[…] further down […]
pass out tagged INTERNAL

Any idea what’s going on?
It doesn’t work if set skip on enc0
I ve also tried NAT to the external interface

Sent from my iPhone

Loading...