IPF Understanding statefull behaviour of ipfilter in combination with ipsec/strongswan

[SurtursRevenge]

Hello,

i need some help understanging ipfilter and its statefull behaviour.

I have created a ipsec tunnel with strongswan which is policy based.
On the bsd router re1.7 it has the IP 10.111.7.254/24. I wan't to reach the device 10.111.7.1 that is connected to the bsd router.
Wan is connected on re0 to the bsd router.
On the remote side i have the Workstation 192.168.168.20 from which i want to connect to 10.111.7.1.

When i check the routing it gives me re0 as Interface, which i think is how strongswan handles policy based VPN.

netstat -rn
10.111.7.0/24 link#6 U re1.7
10.111.7.254 link#6 UHS lo0
1.2.3.0/24 link#1 U re0
1.2.3.113 link#1 UHS lo0
192.168.178.0/24 1.2.3.254 US re0


because of this i created the following rule
pass in log quick proto tcp from 192.168.178.20 to 10.111.7.0/24 port = 22 flags S/SAFR keep state

The ipmon log indicates an issue with the state as the answer packets seem to be blocked


ipmon[5986]: 01:48:51.049457 re1.7 @0:20 b 10.111.7.1,22 -> 192.168.178.20,49838 PR tcp len 20 48 -AS IN


What am i missing here ? Or what did i understand wrong ?


Here is the full ruleset :

# Variables
wan="re0";
mgmt="re1.7";

# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all


# Rules

pass in log quick proto icmp keep state

# VPN
pass in log quick proto tcp from 192.168.178.20 to 10.111.7.0/24 port = 22 flags S/SAFR keep state

# Outbound Internet
pass in log quick on $mgmt out-via $wan proto tcp from any to any flags S/SAFR keep state
pass in log quick on $mgmt out-via $wan proto udp from any to any
pass in log quick on $mgmt out-via $wan proto icmp from any to any


# Cleanup Rule
block in log all
pass out log all