Hello,
i need some help understanging ipfilter and its statefull behaviour.
I have created a ipsec tunnel with strongswan which is policy based.
On the bsd router re1.7 it has the IP 10.111.7.254/24. I wan't to reach the device 10.111.7.1 that is connected to the bsd router.
Wan is connected on re0 to the bsd router.
On the remote side i have the Workstation 192.168.168.20 from which i want to connect to 10.111.7.1.
When i check the routing it gives me re0 as Interface, which i think is how strongswan handles policy based VPN.
because of this i created the following rule
The ipmon log indicates an issue with the state as the answer packets seem to be blocked
What am i missing here ? Or what did i understand wrong ?
Here is the full ruleset :
i need some help understanging ipfilter and its statefull behaviour.
I have created a ipsec tunnel with strongswan which is policy based.
On the bsd router re1.7 it has the IP 10.111.7.254/24. I wan't to reach the device 10.111.7.1 that is connected to the bsd router.
Wan is connected on re0 to the bsd router.
On the remote side i have the Workstation 192.168.168.20 from which i want to connect to 10.111.7.1.
When i check the routing it gives me re0 as Interface, which i think is how strongswan handles policy based VPN.
netstat -rn
10.111.7.0/24 link#6 U re1.7
10.111.7.254 link#6 UHS lo0
1.2.3.0/24 link#1 U re0
1.2.3.113 link#1 UHS lo0
192.168.178.0/24 1.2.3.254 US re0
because of this i created the following rule
pass in log quick proto tcp from 192.168.178.20 to 10.111.7.0/24 port = 22 flags S/SAFR keep state
The ipmon log indicates an issue with the state as the answer packets seem to be blocked
ipmon[5986]: 01:48:51.049457 re1.7 @0:20 b 10.111.7.1,22 -> 192.168.178.20,49838 PR tcp len 20 48 -AS IN
What am i missing here ? Or what did i understand wrong ?
Here is the full ruleset :
# Variables
wan="re0";
mgmt="re1.7";
# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
# Rules
pass in log quick proto icmp keep state
# VPN
pass in log quick proto tcp from 192.168.178.20 to 10.111.7.0/24 port = 22 flags S/SAFR keep state
# Outbound Internet
pass in log quick on $mgmt out-via $wan proto tcp from any to any flags S/SAFR keep state
pass in log quick on $mgmt out-via $wan proto udp from any to any
pass in log quick on $mgmt out-via $wan proto icmp from any to any
# Cleanup Rule
block in log all
pass out log all