Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenBSD (isamkpd) <-> pfSense connected but no ping etc [SOLVED]

    IPsec
    2
    3
    3662
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      venivicividic last edited by

      Hi everyone

      I have trawled through the forum history and seen lots of similar posts but nothing that seems to match my setup and issue.

      I am migrating my Soekris boxes from OpenBSD to pfSense but to do this they need to interoperate over IPSEC.  I have a small test environment (on VMWare) which is sort of working but not entirely.  My tunnel is connected but i can't ping or do anything else across the tunnel.

      I have opened the firewall on pfSense to allow ALL traffic on the IPSEC interface.  I have also done the same on my OpenBSD box.

      Here is my setup:-

      pfS (int subnet)       pfS (int IP)      pfS (ext IP)          OBSD (ext IP)     OBSD (int IP)          OBSD (int subnet)
      192.168.20.0/24 <–>192.168.20.1<-->x.x.x.x  <=======>x.x.x.x<----->10.200.0.254<----->10.200.0.0/24
                                                                         tunnel

      Here is my OpenBSD ipsec.conf:-
      ---snip---
      local_network="10.200.0.0/24"
      remote_network="192.168.20.0/24"
      local_peer="x.x.x.x"
      remote_peer="x.x.x.x"
      key="test"

      ike active esp from $local_network to $remote_network local $local_peer peer $remote_peer main auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha1 enc 3des group modp1024 psk $key
      ---snip---

      Here is my OpenBSD pf.conf
      ---snip---

      Interfaces

      ext_if="vic0"
      int_if="vic1"

      Hosts

      remote_gw="x.x.x.x/32"

      Redirects and NAT

      nat on $ext_if from $int_if:network -> $ext_if

      Rules

      skip rules on the tunnel endpoint

      set skip on enc0

      Allow ESP encapsulated IPsec traffic on the external interface

      pass in  on $ext_if proto esp from $remote_gw to $ext_if
      pass out on $ext_if proto esp from $ext_if to $remote_gw

      Allow isakmpd(8) traffic on the external interface

      pass in  on $ext_if proto udp from $remote_gw to $ext_if port {isakmp, ipsec-nat-t}
      pass out on $ext_if proto udp from $ext_if to $remote_gw port {isakmp, ipsec-nat-t}

      allow all inbound traffic

      pass in quick on $ext_if
      pass out quick on $ext_if
      ---snip---

      Any ideas where i might be going wrong?

      thanks

      1 Reply Last reply Reply Quote 0
      • F
        fastcon68 last edited by

        Make sure that you have matching rules on both sides in PF-Sense and OpenBSD.  It sounds like you have rules on one side but not on the other for IPSEC.
        RC

        1 Reply Last reply Reply Quote 0
        • V
          venivicividic last edited by

          OK after much messing about i realised that it was actual my test environment routing setup that was broken and the pfSense and OpenBSD were behaving as expected!!!

          I now have my tunnel working with traffic happily passing up and down, for future reference the OpenBSD ipsec.conf that i posted above is the one i am using successfully!

          Thanks and so far pfSense is looking pretty damn good.  Ideally i will be rolling this out to all my routers/firewalls over the next few weeks :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy