OpenBSD (isamkpd) <-> pfSense connected but no ping etc [SOLVED]
-
Hi everyone
I have trawled through the forum history and seen lots of similar posts but nothing that seems to match my setup and issue.
I am migrating my Soekris boxes from OpenBSD to pfSense but to do this they need to interoperate over IPSEC. I have a small test environment (on VMWare) which is sort of working but not entirely. My tunnel is connected but i can't ping or do anything else across the tunnel.
I have opened the firewall on pfSense to allow ALL traffic on the IPSEC interface. I have also done the same on my OpenBSD box.
Here is my setup:-
pfS (int subnet) pfS (int IP) pfS (ext IP) OBSD (ext IP) OBSD (int IP) OBSD (int subnet)
192.168.20.0/24 <–>192.168.20.1<-->x.x.x.x <=======>x.x.x.x<----->10.200.0.254<----->10.200.0.0/24
tunnelHere is my OpenBSD ipsec.conf:-
---snip---
local_network="10.200.0.0/24"
remote_network="192.168.20.0/24"
local_peer="x.x.x.x"
remote_peer="x.x.x.x"
key="test"ike active esp from $local_network to $remote_network local $local_peer peer $remote_peer main auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha1 enc 3des group modp1024 psk $key
---snip---Here is my OpenBSD pf.conf
---snip---Interfaces
ext_if="vic0"
int_if="vic1"Hosts
remote_gw="x.x.x.x/32"
Redirects and NAT
nat on $ext_if from $int_if:network -> $ext_if
Rules
skip rules on the tunnel endpoint
set skip on enc0
Allow ESP encapsulated IPsec traffic on the external interface
pass in on $ext_if proto esp from $remote_gw to $ext_if
pass out on $ext_if proto esp from $ext_if to $remote_gwAllow isakmpd(8) traffic on the external interface
pass in on $ext_if proto udp from $remote_gw to $ext_if port {isakmp, ipsec-nat-t}
pass out on $ext_if proto udp from $ext_if to $remote_gw port {isakmp, ipsec-nat-t}allow all inbound traffic
pass in quick on $ext_if
pass out quick on $ext_if
---snip---Any ideas where i might be going wrong?
thanks
-
Make sure that you have matching rules on both sides in PF-Sense and OpenBSD. It sounds like you have rules on one side but not on the other for IPSEC.
RC -
OK after much messing about i realised that it was actual my test environment routing setup that was broken and the pfSense and OpenBSD were behaving as expected!!!
I now have my tunnel working with traffic happily passing up and down, for future reference the OpenBSD ipsec.conf that i posted above is the one i am using successfully!
Thanks and so far pfSense is looking pretty damn good. Ideally i will be rolling this out to all my routers/firewalls over the next few weeks :)