# VPN Tunnel UP using strongswan 5, no traffic routed?



## megapearl (Dec 3, 2012)

Hello,

I have just set up a vpn tunnel using this http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD and this http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/ site, compiled some options in the freebsd kernel, and used strongswan 5 which i compiled and installed from source, the tunnel itselfs works, but no traffic is routed between them, i want to find out why, but don't know where to start...

Here is my configuration, A = FreeBSD 9, B = Ubuntu Server (Kernel 3.2.0-34)

Server 'A'

```
[root@server /]# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=38db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:23:cd:b0:f3:74
        inet 213.126.17.114 netmask 0xfffffff8 broadcast 213.126.17.119
        inet6 fe80::223:cdff:feb0:f374%re0 prefixlen 64 scopeid 0x2
        inet 213.126.17.115 netmask 0xffffffff broadcast 213.126.17.115
        inet 213.126.17.116 netmask 0xffffffff broadcast 213.126.17.116
        inet 213.126.17.117 netmask 0xffffffff broadcast 213.126.17.117
        inet 213.126.17.118 netmask 0xffffffff broadcast 213.126.17.118
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect <flowcontrol> (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=38db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:23:cd:b0:ba:d8
        inet 192.168.0.1 netmask 0xffffffe0 broadcast 192.168.0.31
        inet6 fe80::223:cdff:feb0:bad8%re1 prefixlen 64 scopeid 0x3
        inet6 2001:838:34c::1 prefixlen 64
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect <flowcontrol> (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33152
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 213.126.17.114 --> 213.197.27.252
        inet6 fe80::223:cdff:feb0:f374%gif0 prefixlen 64 scopeid 0x8
        inet6 2001:838:300:2fc::2 --> 2001:838:300:2fc::1 prefixlen 128
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        options=1<ACCEPT_REV_ETHIP_VER>
[root@server /]#
```


```
[root@server /usr/local/etc]# cat ipsec.conf
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no

conn net-net
        left=proxy.flissinger.com
        leftsubnet=192.168.0.0/27
        leftid=@server.flissinger.com
        right=backup.flissinger.com
        rightid=@backup.flissinger.com
        rightsubnet=10.0.0.0/27
        auto=start
[root@server /usr/local/etc]#
```


```
[root@server /usr/local/etc]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.2dr3, FreeBSD 9.0-RELEASE-p4, amd64):
  uptime: 42 minutes, since Dec 03 16:04:31 2012
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  213.126.17.114
  213.126.17.115
  213.126.17.116
  213.126.17.117
  213.126.17.118
Connections:
     net-net:  proxy.flissinger.com...backup.flissinger.com  IKEv2
     net-net:   local:  [server.flissinger.com] uses pre-shared key authentication
     net-net:   remote: [backup.flissinger.com] uses pre-shared key authentication
     net-net:   child:  192.168.0.0/27 === 10.0.0.0/27 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 42 minutes ago, 213.126.17.118[server.flissinger.com]...94.211.240.88[backup.flissinger.com]
     net-net[1]: IKEv2 SPIs: 51662cb6e2d4aaf1_i* 76924e7538f4ead2_r, pre-shared key reauthentication in 10 minutes
     net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c7465dd5_i c05e7ee0_o
     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 2368 bytes_o (165s ago), rekeying in 63 seconds
     net-net{1}:   192.168.0.0/27 === 10.0.0.0/27
[root@server /usr/local/etc]#
```


```
[root@server /usr/local/etc]# cat strongswan.conf
charon {
  interfaces_use = re0
  #load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke socket-default kernel-pfroute updown
  multiple_authentication = no
}
[root@server /usr/local/etc]#
```


```
[root@server /usr/local/etc]# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            router             UGS         0  5077159    re0
localhost          link#6             UH          0   325991    lo0
192.168.0.0/27     link#3             U           0 23826129    re1
mainserver         link#3             UHS         0     2815    lo0
213.126.17.112/29  link#2             U           0        0    re0
server             link#2             UHS         0      811    lo0
mail               link#2             UHS         0     3962    lo0 =>
213.126.17.115/32  link#2             U           0        0    re0
ftp                link#2             UHS         0        0    lo0 =>
213.126.17.116/32  link#2             U           0        0    re0
www                link#2             UHS         0     1952    lo0 =>
213.126.17.117/32  link#2             U           0        0    re0
proxy              link#2             UHS         0        3    lo0 =>
213.126.17.118/32  link#2             U           0        0    re0

Internet6:
Destination        Gateway            Flags      Netif Expire
::                 localhost.localdom UGRS        lo0 =>
default            gw-765.ams-01.nl.s UGS        gif0
localhost.localdom localhost.localdom UH          lo0
::ffff:0.0.0.0     localhost.localdom UGRS        lo0
gw-765.ams-01.nl.s cl-765.ams-01.nl.s UH         gif0
cl-765.ams-01.nl.s link#8             UHS         lo0
2001:838:34c::     link#3             U           re1
ipv6int.flissinger link#3             UHS         lo0
fe80::             localhost.localdom UGRS        lo0
fe80::%re0         link#2             U           re0
fe80::223:cdff:feb link#2             UHS         lo0
fe80::%re1         link#3             U           re1
fe80::223:cdff:feb link#3             UHS         lo0
fe80::%lo0         link#6             U           lo0
fe80::1%lo0        link#6             UHS         lo0
fe80::%gif0        link#8             U          gif0
fe80::223:cdff:feb link#8             UHS         lo0
ff01::%re0         fe80::223:cdff:feb U           re0
ff01::%re1         fe80::223:cdff:feb U           re1
ff01::%lo0         localhost.localdom U           lo0
ff01::%gif0        fe80::223:cdff:feb U          gif0
ff02::             localhost.localdom UGRS        lo0
ff02::%re0         fe80::223:cdff:feb U           re0
ff02::%re1         fe80::223:cdff:feb U           re1
ff02::%lo0         localhost.localdom U           lo0
ff02::%gif0        fe80::223:cdff:feb U          gif0
[root@server /usr/local/etc]#
```


```
[root@server /]# ping -c 3 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
[root@server /]#
```


----------



## megapearl (Dec 3, 2012)

*Part 2*

Server B


```
root@backup:/# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1f:d0:a1:93:51
          inet addr:94.211.240.88  Bcast:255.255.255.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1
          RX packets:96333115 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59191100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:99834216304 (99.8 GB)  TX bytes:11274912979 (11.2 GB)
          Interrupt:47 Base address:0xe000

eth1      Link encap:Ethernet  HWaddr 00:1f:d0:a1:93:53
          inet addr:10.0.0.1  Bcast:10.0.0.31  Mask:255.255.255.224
          inet6 addr: fe80::21f:d0ff:fea1:9353/64 Scope:Link
          inet6 addr: 2001:960:66d::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11683545 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29594322 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4323469532 (4.3 GB)  TX bytes:40351594075 (40.3 GB)
          Interrupt:48

ipv6      Link encap:IPv6-in-IPv4
          inet6 addr: fe80::5ed3:f058/64 Scope:Link
          inet6 addr: fe80::a00:1/64 Scope:Link
          inet6 addr: 2001:960:2:129::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
          RX packets:80330231 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45353301 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:89460383814 (89.4 GB)  TX bytes:5365472289 (5.3 GB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:51179 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51179 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:53860508 (53.8 MB)  TX bytes:53860508 (53.8 MB)

root@backup:/#
```


```
root@backup:/etc# cat ipsec.conf
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no

conn net-net
        left=backup.flissinger.com
        leftid=@backup.flissinger.com
        leftsubnet=10.0.0.0/27
        leftfirewall=yes
        right=proxy.flissinger.com
        rightid=@server.flissinger.com
        rightsubnet=192.168.0.0/27
        auto=add
root@backup:/etc#
```


```
root@backup:/etc# cat strongswan.conf
charon {
  interfaces_use = eth0
#load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-raw updown
  multiple_authentication = no
}
root@backup:/etc#
```


```
root@backup:/etc# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         5ED3F001.cm-7-4 0.0.0.0         UG        0 0          0 eth0
10.0.0.0        *               255.255.255.224 U         0 0          0 eth1
94.211.240.0    *               255.255.254.0   U         0 0          0 eth0
192.168.100.1   *               255.255.255.255 UH        0 0          0 eth0
root@backup:/etc#
```


```
root@backup:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.1, Linux 3.2.0-34-generic, x86_64):
  uptime: 50 minutes, since Dec 03 16:04:03 2012
  malloc: sbrk 266240, mmap 0, used 150624, free 115616
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  94.211.240.88
Connections:
     net-net:  backup.flissinger.com...proxy.flissinger.com  IKEv2
     net-net:   local:  [backup.flissinger.com] uses pre-shared key authentication
     net-net:   remote: [server.flissinger.com] uses pre-shared key authentication
     net-net:   child:  10.0.0.0/27 === 192.168.0.0/27 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 50 minutes ago, 94.211.240.88[backup.flissinger.com]...213.126.17.118[server.flissinger.com]
     net-net[1]: IKEv2 SPIs: 51662cb6e2d4aaf1_i 76924e7538f4ead2_r*, pre-shared key reauthentication in 5 minutes
     net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: cd0a0090_i cc1143de_o
     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 912 bytes_i, 0 bytes_o, rekeying in 8 minutes
     net-net{1}:   10.0.0.0/27 === 192.168.0.0/27
root@backup:/etc#
```


```
root@backup:/etc# ip route list table 220
192.168.0.0/27 via 94.211.240.1 dev eth0  proto static  src 10.0.0.1
root@backup:/etc#
```


```
root@backup:/etc# ping -c 3 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.

--- 192.168.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms

root@backup:/etc#
```

Server A is running PF firewall, which i cleared to see if that works, but it didn't
Server B is running Shorewall, also turned that one off...

Tried different versions of strongswan.
In the howto i see they used 'ip route list table 220' but i don't know how to show that table on freeBSD.

Can anyone see what the problem is here? and help me out where to search?


----------



## SirDice (Dec 3, 2012)

On the FreeBSD side you seem to be missing a gif or tun interface. The gif0 you have is for IPv6-over-IPv4.


----------



## megapearl (Dec 4, 2012)

*No tun0*

I don't have a tun0 interface at both servers, do I need them? In all of the howto's and setups of strongswan no one is talking about creating a tun0 interface :-S


----------



## SirDice (Dec 4, 2012)

The Linux side seems to have an eth1 that's one end of the tunnel. The FreeBSD side however doesn't have any interface connected to the VPN.


----------



## megapearl (Dec 4, 2012)

Where can you see that?

The tunnel itself must be connected between re0 (external interface FreeBSD) and eth0 (external interface Linux) the internal subnet's are on re1 FreeBSD and eth1 linux, which I want to connect together through the tunnel. :-S So I can access the intranet between the 2 locations. (Samba, and other Services)


----------



## SirDice (Dec 5, 2012)

VPN software usually creates a _virtual_ interface, like gif(4) or tun(4). Both re0 and re1 are _physical_ interfaces.


----------



## ecdsa (Dec 13, 2012)

> VPN software usually creates a virtual interface, like gif(4) or tun(4).



That's not required with IPsec in general as the encryption (and partly the routing) is handled transparently by the Linux or FreeBSD kernels using the installed IPsec policies, which define the traffic that is to be encrypted/tunneled.

In case of Linux strongSwan automatically installs a source route (policy based routing) in table 220 that specifies a source address within the traffic selector (in your case 10.0.0.1) that is used when sending traffic into the remote subnet. On FreeBSD that's not the case (as there is no policy based routing, to my knowledge). So here you'd have to manually define the proper source address when you communicate from the IPsec gateway directly (it's not a problem for hosts behind the gateway).  That is, the command [CMD=""]ping -c 3 10.0.0.1[/CMD] won't work as the kernel uses the default route to reach 10.0.0.1 and the ICMP packet will, thus, have one of the addresses on re0 as source, therefore not matching the installed IPsec policy (which only matches 192.168.0.0/27 on the FreeBSD end).
By using [CMD=""]ping -S 192.168.0.1 -c 3 10.0.0.1[/CMD] you can explicitly specify a source address and the policy should match. You could also add a second IPsec SA that covers re0 locally and 10.0.0.0/27 remotely.

It's strange though that [CMD=""]ping -c 3 192.168.0.1[/CMD] from the Linux side does not work. It would be interesting to see the output of running [CMD="tcpdump"][/CMD] on the FreeBSD host.  Perhaps the FreeBSD kernel does not use the original destination address (192.168.0.1) as source when responding to the ping.


----------



## megapearl (Dec 14, 2012)

Strange indeed.
The errors when strongswan start are normal when running on FreeBSD and should be ignored, this is a known bug.


```
[root@server /home/donald]# /usr/local/etc/rc.d/strongswan restart
Stopping strongSwan IPsec...
Starting strongSwan 5.0.2dr3 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
[root@server /home/donald]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.2dr3, FreeBSD 9.0-RELEASE-p4, amd64):
  uptime: 3 seconds, since Dec 14 09:31:13 2012
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  213.126.17.114
  213.126.17.115
  213.126.17.116
  213.126.17.117
  213.126.17.118
Connections:
     net-net:  proxy.flissinger.com...backup.flissinger.com  IKEv2
     net-net:   local:  [server.flissinger.com] uses pre-shared key authentication
     net-net:   remote: [backup.flissinger.com] uses pre-shared key authentication
     net-net:   child:  192.168.0.0/27 === 10.0.0.0/27 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 1 second ago, 213.126.17.118[server.flissinger.com]...94.211.240.88[backup.flissinger.com]
     net-net[1]: IKEv2 SPIs: b5e8e819adc3a62d_i* ee321167a5e51b64_r, rekeying disabled
     net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c636bda4_i c2d90921_o
     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
     net-net{1}:   192.168.0.0/27 === 10.0.0.0/27
[root@server /home/donald]# ping -S 192.168.0.1 -c 3 10.0.0.1
PING 10.0.0.1 (10.0.0.1) from 192.168.0.1: 56 data bytes
^C
--- 10.0.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
[root@server /home/donald]# ping -S 192.168.0.1 -c 3 10.0.0.1
PING 10.0.0.1 (10.0.0.1) from 192.168.0.1: 56 data bytes

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
[root@server /home/donald]#
```

When i clear the pf rules i can ping the remote end 10.0.0.1 finally using the -S 192.168.0.1 in ping.


```
[root@server /home/donald]# pfctl -f /etc/pf.conf.clear
[root@server /home/donald]# ping -S 192.168.0.1 -c 3 10.0.0.1
PING 10.0.0.1 (10.0.0.1) from 192.168.0.1: 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=24.193 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=18.022 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=16.022 ms

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 16.022/19.412/24.193/3.478 ms
[root@server /home/donald]#
```
And the other end.

```
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-34-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Wed Dec 12 16:18:55 2012 from 10.0.0.2
donald@backup:~$ su
Password:
root@backup:/home/donald# ping -c 3 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.

--- 192.168.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms

root@backup:/home/donald#
```
It seems as you say that freebsd isn't using 192.168.0.1 as source address..
How can i add rules to the routing table of FreeBSD?

My pf.conf.clear (just for testing)

```
[root@server /home/donald]# cat /etc/pf.conf.clear
ext_if="re0"
int_if="re1"

nat on $ext_if from !($ext_if) -> ($ext_if:0)
pass in
pass out
[root@server /home/donald]#
```
My normal pf.conf which is blocking packets? but where?

```
[root@server /home/donald]# cat /etc/pf.conf.clear
ext_if="re0"
int_if="re1"

nat on $ext_if from !($ext_if) -> ($ext_if:0)
pass in
pass out
[root@server /home/donald]# cat /etc/pf.conf
### Interfaces ###
 ExtIf = "re0"
 IntIf = "re1"
 TunIf = "gif0"

### Hosts ###
 server_ip ="213.126.17.114"
 mail_ip   ="213.126.17.115"
 ftp_ip    ="213.126.17.116"
 web_ip    ="213.126.17.117"
 proxy_ip  ="213.126.17.118"
 backup_ip ="94.211.240.88"

### States & Queues ###
 SynState="flags S/SAFR synproxy state"
 TcpState="flags S/SAFR modulate state"
 UdpState="keep state"

# Misc Options
 set debug urgent
 set require-order yes
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

################ Tables ####################################
 table <BLACKLIST> persist file "/etc/pf.block"
 table <SLOWQUEUE> persist file "/etc/pf.slow"
 table <OVERLOAD_SSH> persist

# Timeout Options
 set optimization normal
 set timeout { tcp.established 360, tcp.closing 60 }

################ Normalization #############################
 scrub log on $ExtIf all random-id min-ttl 64 max-mss 1420 set-tos reliability reassemble tcp fragment reassemble

 nat on $ExtIf from $IntIf:network to any -> ($ExtIf:0) port 1024:65535

#set skip on $TunIf
 set skip on enc0

# Squid ( transparant proxy server )
 rdr on $IntIf inet proto tcp from $IntIf:network to any port www tag HTTP -> lo0 port 65532

# DENY rouge redirections
 no rdr

#antispoof log quick for { lo0 $IntIf ($ExtIf) }
 antispoof log quick for { lo0 $IntIf $server_ip }

# Block to/from illegal sources/destinations
 block        in     quick on $ExtIf from urpf-failed to any
 block        in log quick on $ExtIf from <SLOWQUEUE> to any probability 97%
 block        in     quick on $ExtIf from <BLACKLIST> to any
 block        in     quick on $ExtIf inet proto tcp from <OVERLOAD_SSH> to any port 65534
 block        in     quick on $ExtIf from any to 255.255.255.255
 block        in log quick           from no-route to any
 block return in     quick on $IntIf from any to <BLACKLIST>
 block return in     quick on $IntIf from any to 224.0.0.1

# BLOCK all in on external interface
 block in log on $ExtIf

# Aiccu Rules
 block in  log   on $TunIf inet6
 block out log   on $TunIf inet6

# Allow heartbeat ping
 pass  in  quick on $TunIf inet6 proto ipv6-icmp from 2001:838:300:2fc::1 to 2001:838:300:2fc::2 keep state

 pass  in  quick on $ExtIf inet proto ipv6 from tunnelserver.concepts-ict.net to ($ExtIf:0)
 pass  out quick on $ExtIf inet proto ipv6 from ($ExtIf:0) to tunnelserver.concepts-ict.net

# Pass tcp, udp, and icmp6 out on the ipv6 tunnel interface.
 pass  out quick on $TunIf inet6 proto { tcp udp ipv6-icmp} keep state

 pass out quick on $ExtIf proto tcp from any           to tic.sixxs.net port 3874
 pass in  quick on $ExtIf proto tcp from tic.sixxs.net to any           port 3874
 pass out quick on $ExtIf proto udp from any           to tic.sixxs.net port 3874
 pass in  quick on $ExtIf proto udp from tic.sixxs.net to any           port 3874

# $ExtIf inbound
 pass in on $ExtIf inet proto icmp from any        to ($ExtIf) icmp-type 8 code 0 $UdpState
 pass in on $ExtIf inet proto tcp  from any        to $server_ip port 65534 $TcpState
 pass in on $ExtIf inet proto tcp  from any        to $mail_ip port smtp $TcpState
 pass in on $ExtIf inet proto tcp  from any        to $mail_ip port smtps $TcpState
 pass in on $ExtIf inet proto tcp  from $backup_ip to $mail_ip port submission $TcpState
 pass in on $ExtIf inet proto tcp  from any        to $mail_ip port imaps $TcpState
 pass in on $ExtIf inet proto tcp  from any        to $server_ip port domain $TcpState
 pass in on $ExtIf inet proto udp  from any        to $server_ip port domain $UdpState
# pass in on $ExtIf inet proto udp  from any        to $server_ip port 500 $UdpState
# pass in on $ExtIf inet proto udp  from any        to $server_ip port 4500 $UdpState
 pass in on $ExtIf inet proto tcp  from any        to $web_ip port http $TcpState
 pass in on $ExtIf inet proto tcp  from any        to $web_ip port https $TcpState

# ExtIf outbound
 pass out on $ExtIf inet proto tcp  from ($ExtIf) to any $TcpState
 pass out on $ExtIf inet proto udp  from ($ExtIf) to any $UdpState
 pass out on $ExtIf inet proto icmp from ($ExtIf) to any $UdpState

# IntIf return blocked packets (TCP reset)
 block return in log on $IntIf

# IntIf inbound
 pass in on $IntIf inet proto tcp  from any to any $TcpState
 pass in on $IntIf inet proto udp  from any to any $UdpState
 pass in on $IntIf inet proto icmp from any to any icmp-type 8 code 0 $UdpState
 pass in on $IntIf inet6 from any to any keep state

# IntIf outbound
 pass out on $IntIf inet proto tcp  from any to any $TcpState
 pass out on $IntIf inet proto udp  from any to any $UdpState
 pass out on $IntIf inet proto icmp from any to any icmp-type 8 code 0 $UdpState
 pass out on $IntIf inet6 from any to any keep state

# Vpn
 pass in log on $ExtIf proto udp from $backup_ip to ($ExtIf) port { 500, 4500 }
 pass out log on $ExtIf proto udp from $ExtIf to $backup_ip port { 500, 4500 }
 pass in log on $ExtIf proto esp from $backup_ip to ($ExtIf)
 pass out log on $ExtIf proto esp from $ExtIf to $backup_ip
[root@server /home/donald]#
```
Which rules i forgot??? when turning on pf i can't ping the 10.0.0.1 anymore.

Regards,
Donald.


----------



## ecdsa (Dec 17, 2012)

Does ping work from the Ubuntu host if you add a route to the 10.0.0.0/27 subnet via re1?

Since I don't know pf at all I can't really comment on that. But checking the logs might show you which rule causes packets to get dropped.


----------



## megapearl (Dec 17, 2012)

Yes, that works, when adding a route using route add -net 10.0.0.0/27 192.168.0.1 from freebsd i then can ping the freebsd server from the ubuntu server.
I also don't have to use the -S option to ping from freebsd to ubuntu.
I need to disable shorewall to make that work, so now figuring out what rules i need on both firewalls to get it all to work.

Thanks!


----------

