Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenBSD (isamkpd) <-> pfSense connected but no ping etc [SOLVED]

    Scheduled Pinned Locked Moved
    IPsec
    2
    3
    3.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      venivicividic
      last edited by

      Hi everyone

      I have trawled through the forum history and seen lots of similar posts but nothing that seems to match my setup and issue.

      I am migrating my Soekris boxes from OpenBSD to pfSense but to do this they need to interoperate over IPSEC.  I have a small test environment (on VMWare) which is sort of working but not entirely.  My tunnel is connected but i can't ping or do anything else across the tunnel.

      I have opened the firewall on pfSense to allow ALL traffic on the IPSEC interface.  I have also done the same on my OpenBSD box.

      Here is my setup:-

      pfS (int subnet)       pfS (int IP)      pfS (ext IP)          OBSD (ext IP)     OBSD (int IP)          OBSD (int subnet)
      192.168.20.0/24 <–>192.168.20.1<-->x.x.x.x  <=======>x.x.x.x<----->10.200.0.254<----->10.200.0.0/24
                                                                         tunnel

      Here is my OpenBSD ipsec.conf:-
      ---snip---
      local_network="10.200.0.0/24"
      remote_network="192.168.20.0/24"
      local_peer="x.x.x.x"
      remote_peer="x.x.x.x"
      key="test"

      ike active esp from $local_network to $remote_network local $local_peer peer $remote_peer main auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha1 enc 3des group modp1024 psk $key
      ---snip---

      Here is my OpenBSD pf.conf
      ---snip---

      Interfaces

      ext_if="vic0"
      int_if="vic1"

      Hosts

      remote_gw="x.x.x.x/32"

      Redirects and NAT

      nat on $ext_if from $int_if:network -> $ext_if

      Rules

      skip rules on the tunnel endpoint

      set skip on enc0

      Allow ESP encapsulated IPsec traffic on the external interface

      pass in  on $ext_if proto esp from $remote_gw to $ext_if
      pass out on $ext_if proto esp from $ext_if to $remote_gw

      Allow isakmpd(8) traffic on the external interface

      pass in  on $ext_if proto udp from $remote_gw to $ext_if port {isakmp, ipsec-nat-t}
      pass out on $ext_if proto udp from $ext_if to $remote_gw port {isakmp, ipsec-nat-t}

      allow all inbound traffic

      pass in quick on $ext_if
      pass out quick on $ext_if
      ---snip---

      Any ideas where i might be going wrong?

      thanks

      1 Reply Last reply Reply Quote 0
      • F
        fastcon68
        last edited by

        Make sure that you have matching rules on both sides in PF-Sense and OpenBSD.  It sounds like you have rules on one side but not on the other for IPSEC.
        RC

        1 Reply Last reply Reply Quote 0
        • V
          venivicividic
          last edited by

          OK after much messing about i realised that it was actual my test environment routing setup that was broken and the pfSense and OpenBSD were behaving as expected!!!

          I now have my tunnel working with traffic happily passing up and down, for future reference the OpenBSD ipsec.conf that i posted above is the one i am using successfully!

          Thanks and so far pfSense is looking pretty damn good.  Ideally i will be rolling this out to all my routers/firewalls over the next few weeks :)

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.