A kind soul (thank you) suggested I add the following to my ruleset:
pass quick on enc0 proto ipencap
Unfortunately, that does still not allow the inner outbound traffic to pass.
>From what I can tell, the original ruleset already let ipencap traffic pass
on enc0. I verified with tcpdump and by separately logging the pass rules.
Had ipencap been the problem, tcpdump on pflog1 would show a match on rule
#11 (instead of the 'tagged PBX' rule #12).
Pinging or UDP traffic to the 172.24.8.0/24 subnet fails, whereas incoming
traffic from the other side is matched to the 'tagged PBX' rule (#12). I've
made sure the tagging in #14 does not occur for traffic to the PBX (I added
its net to the <internal> table.
I expected ipsec to automagically add the 'PBX' tag to traffic it gets
handed (in this case, from $if_int) when that traffic fits its SAs. I
further expected pf to need no more than a simple 'pass on enc0 tagged PBX'
after that. If I was too optimistic or misunderstood ipsec.conf(5), a
cluebat is more than welcome. If this is something that should work, I'll
try with -current as well.
Regards,
Rogier
# tcpdump -ni pflog0 -s1600 -eee -ttt -v
Jun 11 13:36:47.049079 rule 0/(match) [uid 0, pid 17691] block out on enc0:
192.168.10.101.63617 > 172.24.8.56.5060: [udp sum ok] udp 593 (ttl 63, id
40730, len 621, bad cksum 5a08!)
Jun 11 13:40:03.515813 rule 0/(match) [uid 0, pid 17691] block out on enc0:
192.168.10.102 > 172.24.8.55: icmp: echo request (id:0001 seq:411) (ttl
127, id 23969, len 60, bad cksum 5dc2!)
# tcpdump -ni pflog1 -s1600 -eee -ttt
Jun 11 13:39:28.142858 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:28.142883 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request
Jun 11 13:39:29.149843 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:29.149865 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request
Jun 11 13:39:30.159693 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:30.159715 rule 12/(match) pass in on enc0: 172.24.8.1 >
192.168.10.102: icmp: echo request
# pfctl -sr -vv | grep -e '^@'
@0 block return log all
@1 match out on egress inet all tagged OUT nat-to (egress:0:1) round-robin
@2 pass out on egress from (egress:3) to any flags S/SA
@3 pass out on egress proto udp from (egress:3) to any port = 3740
@4 pass out on egress inet6 from (vlan801:network:1) to any flags S/SA
@5 pass on egress proto udp from any to any port = 500
@6 pass on egress proto udp from any to any port = 4500
@7 pass on egress proto ipv6 all
@8 pass on egress inet proto icmp all
@9 pass on egress inet6 proto ipv6-icmp all
@10 pass on egress proto esp all
@11 pass log (all, to pflog1) on enc0 proto ipencap all
@12 pass log (all, to pflog1) on enc0 all flags S/SA keep state (if-bound)
tagged PBX
@13 pass in on vlan801 proto tcp from (vlan801:network:5) to (vlan801:9)
port = 22 flags S/SA
@14 match in on vlan801 from (vlan801:network:5) to ! <internal:7> tag OUT
@15 pass on vlan801 all flags S/SA
