I'm able to connect to the VPN with the following setup, but am unable to reach the Internet through the VPN.
/etc/rc.conf.local
Code:
isakmpd_flags="-K"
ipsec=YES
npppd_flags=""
/etc/ipsec.conf
Code:
ike passive esp tunnel \
from sub.domain.tld to any \
main group "modp1024" \
quick group "modp1024" \
psk "key"
/etc/npppd/npppd-users
Code:
$user:\
:password=$passwd:
/etc/pf.conf
Code:
pubIF = "vio0"
vpnIF = "pppx"
vpnNET = "10.0.0.0/24"
pass in on $pubIF proto esp
pass in on $pubIF proto udp to port { isakmp, ipsec-nat-t }
pass on enc0 keep state (if-bound)
pass on $vpnIF from $vpnNET
pass on $vpnIF to $vpnNET
match out on $pubIF from $vpnNET nat-to ($pubIF) set prio (3,4)
Starting daemons:
Code:
# /etc/rc.d/isakmpd start
isakmpd(ok)
root@vpx:~# ipsecctl -f /etc/ipsec.conf
root@vpx:~# sysctl net.pipex.enable=1
net.pipex.enable: 0 -> 1
root@vpx:~# sysctl net.pipex.enable
net.pipex.enable=1
root@vpx:~# /etc/rc.d/npppd start
npppd(ok)
I then configure the Mac client and connect to the VPN.
ifconfig shows client is connected.
Code:
root@vpx:~# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 4 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
vio0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500
lladdr mac
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet pubIP netmask 0xfffffe00 broadcast gateway
inet6 ip6ip%vio0 prefixlen 64 scopeid 0x1
<snip(inet6)>
vio1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr mac
index 2 priority 0 llprio 3
media: Ethernet autoselect
status: no carrier
enc0: flags=0<>
index 3 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33172
index 5 priority 0 llprio 3
groups: pflog
pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1360
description: $user
index 6 priority 0 llprio 3
groups: pppx
inet 10.0.0.1 --> 10.0.0.73 netmask 0xffffffff
tcpdump shows nothing on
pf interface despite successful connection and attempts to browse client side:
Code:
root@vpx:~# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
^C
0 packets received by filter
0 packets dropped by kernel
ipsec key exchanges:
Code:
root@vpx:~# ipsecctl -m
sadb_delflow: satype esp vers 2 len 16 seq 6 pid 47859
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type require direction out
src_flow: VPN port 1701
dst_flow: client port 56642
sadb_delflow: satype esp vers 2 len 16 seq 6 pid 47859
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type require direction out
src_flow: VPN port 1701
dst_flow: client port 56642
sadb_delete: satype esp vers 2 len 10 seq 7 pid 47859
sa: spi 0x... auth none enc none
state larval replay 0 flags 0<>
address_src: VPN
address_dst: client
sadb_delete: satype esp vers 2 len 10 seq 7 pid 47859
sa: spi 0x... auth none enc none
state larval replay 0 flags 0<>
address_src: VPN
address_dst: client
sadb_delflow: satype esp vers 2 len 16 seq 8 pid 47859
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type use direction in
src_flow: client port 56642
dst_flow: VPN port 1701
sadb_delflow: satype esp vers 2 len 16 seq 8 pid 47859
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type use direction in
src_flow: client port 56642
dst_flow: VPN port 1701
sadb_delete: satype esp vers 2 len 10 seq 9 pid 47859
sa: spi 0x... auth none enc none
state larval replay 0 flags 0<>
address_src: client
address_dst: VPN
sadb_delete: satype esp vers 2 len 10 seq 9 pid 47859
sa: spi 0x... auth none enc none
state larval replay 0 flags 0<>
address_src: client
address_dst: VPN
sadb_getspi: satype esp vers 2 len 10 seq 10 pid 47859
address_src: client
address_dst: VPN
spirange: min 0x00000100 max 0xffffffff
sadb_getspi: satype esp vers 2 len 10 seq 10 pid 47859
sa: spi 0x... auth none enc none
state mature replay 0 flags 0<>
address_src: client
address_dst: VPN
sadb_add: satype esp vers 2 len 51 seq 11 pid 47859
sa: spi 0x... auth hmac-sha1 enc aes
state mature replay 16 flags 0x200<udpencap>
lifetime_hard: alloc 0 bytes 0 add 3600 first 0
lifetime_soft: alloc 0 bytes 0 add 3240 first 0
address_src: VPN
address_dst: client
key_auth: bits 160: hash
key_encrypt: bits 256: hash
identity_src: type prefix id 0: vpn/32
identity_dst: type prefix id 0: 10.0.0.37/32
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type unknown direction out
src_flow: VPN port 1701
dst_flow: client port 64265
udpencap: udpencap port 4500
sadb_add: satype esp vers 2 len 42 seq 11 pid 47859
sa: spi 0x... auth hmac-sha1 enc aes
state mature replay 16 flags 0x200<udpencap>
lifetime_hard: alloc 0 bytes 0 add 3600 first 0
lifetime_soft: alloc 0 bytes 0 add 3240 first 0
address_src: VPN
address_dst: client
identity_src: type prefix id 0: VPN/32
identity_dst: type prefix id 0: 10.0.0.37/32
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type unknown direction out
src_flow: VPN port 1701
dst_flow: client port 64265
udpencap: udpencap port 4500
sadb_update: satype esp vers 2 len 51 seq 12 pid 47859
sa: spi 0x... auth hmac-sha1 enc aes
state mature replay 16 flags 0x200<udpencap>
lifetime_hard: alloc 0 bytes 0 add 3600 first 0
lifetime_soft: alloc 0 bytes 0 add 3240 first 0
address_src: client
address_dst: VPN
key_auth: bits 160: hash
key_encrypt: bits 256: hash
identity_src: type prefix id 0: 10.0.0.37/32
identity_dst: type prefix id 0: VPN/32
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type unknown direction in
src_flow: client port 64265
dst_flow: VPN port 1701
udpencap: udpencap port 4500
sadb_update: satype esp vers 2 len 42 seq 12 pid 47859
sa: spi 0x... auth hmac-sha1 enc aes
state mature replay 16 flags 0x200<udpencap>
lifetime_hard: alloc 0 bytes 0 add 3600 first 0
lifetime_soft: alloc 0 bytes 0 add 3240 first 0
address_src: client
address_dst: VPN
identity_src: type prefix id 0: 10.0.0.37/32
identity_dst: type prefix id 0: VPN/32
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type unknown direction in
src_flow: client port 64265
dst_flow: VPN port 1701
udpencap: udpencap port 4500
sadb_addflow: satype esp vers 2 len 28 seq 13 pid 47859
address_dst: client
identity_src: type prefix id 0: VPN/32
identity_dst: type prefix id 0: 10.0.0.37/32
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type require direction out
src_flow: VPN port 1701
dst_flow: client port 64265
sadb_addflow: satype esp vers 2 len 28 seq 13 pid 47859
address_dst: client
identity_src: type prefix id 0: VPN/32
identity_dst: type prefix id 0: 10.0.0.37/32
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type require direction out
src_flow: VPN port 1701
dst_flow: client port 64265
sadb_addflow: satype esp vers 2 len 28 seq 14 pid 47859
address_dst: client
identity_src: type prefix id 0: VPN/32
identity_dst: type prefix id 0: 10.0.0.37/32
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type use direction in
src_flow: client port 64265
dst_flow: VPN port 1701
sadb_addflow: satype esp vers 2 len 28 seq 14 pid 47859
address_dst: client
identity_src: type prefix id 0: VPN/32
identity_dst: type prefix id 0: 10.0.0.37/32
src_mask: 255.255.255.255 port 65535
dst_mask: 255.255.255.255 port 65535
protocol: proto 17 flags 0
flow_type: type use direction in
src_flow: client port 64265
dst_flow: VPN port 1701
^C
ipsec active rules and entries:
Code:
root@vpx:~# ipsecctl -s all
FLOWS:
flow esp in proto udp from client port 61418 to VPN port l2tp peer client srcid VPN/32 dstid 10.0.0.37/32 type use
flow esp out proto udp from VPN port l2tp to client port 61418 peer client srcid VPN/32 dstid 10.0.0.37/32 type require
SAD:
esp transport from VPN to client spi 0x... auth hmac-sha1 enc aes-256
esp transport from client to VPN spi 0x... auth hmac-sha1 enc aes-256
pf rules:
Code:
root@vpx:~# pfctl -s rules
block drop log quick from <vilain_bruteforce> to any
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
pass in on vio0 proto udp from any to any port = 500
pass in on vio0 proto udp from any to any port = 4500
pass in on vio0 proto esp all
pass on enc0 all flags S/SA keep state (if-bound)
pass on pppx inet from 10.0.0.0/24 to any flags S/SA
pass on pppx inet from any to 10.0.0.0/24 flags S/SA
match out on vio0 inet from 10.0.0.0/24 to any set ( prio(3, 4) ) nat-to (vio0) round-robin
root@vpx:~#