Hi,
I've built an app that uses NEVPNManager / NEVPNProtocolIKEv2 / etc to manage an IKEv2 VPN connection, which is working well. I am now trying to transparently route outbound HTTP connections through a local HTTP proxy (Charles, port 8888) for development purposes. This works when the VPN is disconnected (via Wi-Fi / en0) but does not work when using the IKEv2 interface (ipsec0).
Here is the pf config used:
HTTP = "inet proto tcp from ipsec0 to any port 80"
rdr on lo0 $HTTP -> lo0 port 8888
pass out on ipsec0 route-to lo0 $HTTP keep state
pass out on ipsec0 $HTTP keep state user charlesThe Charles proxy runs under a different user (charles). Disconnecting the VPN and swapping references to ipsec0 with en0 works - outbound http traffic is visible in Charles.
Using Wireshark, I've performed packet captures on the ipsec0 and lo0 interfaces. The SYN packet is captured on lo0, with a source address of the VPN local address and the correct destination address. I believe this reaches Charles as a SYN, ACK reply packet is then captured on ipsec0 . The application that trying to make the http request never recieves the SYN, ACK - therefore both the SYN and the SYN, ACK are retransmitted until timeout.
As this setup works with en0 when the VPN is not part of the picture, there must be something different about how the IKEv2 is treated by the OS. Can anyone shed any light on this?
Cheers,
Dave
I figured it out. I needed to make sure that matching reply packets were directed back at lo0 instead of ipsec0:
ORIGINAL = "inet proto tcp from ipsec0 to any port 80"
REDIRECTED = "inet proto tcp from ipsec0 to any port 8888"
rdr on lo0 $ORIGINAL -> lo0 port 8888
pass out on ipsec0 route-to lo0 $ORIGINAL keep state
pass out on ipsec0 $ORIGINAL keep state user charles
pass in on lo0 reply-to lo0 $REDIRECTED keep state