Am Fri, 10 Jan 2020 12:19:46 +0100 schrieb Janne Johansson <[email protected]>:
> > > > > > There's a tunnel between Server A and Server B. Server A is a > > standalone machine trying to reach over the VPN tunnel to a host > > (10.0.1.50) that is located in a subnet of Server B. Setup is the > > following: $ cat /etc/hostname.enc0 > > > > Haven't done ipsec on obsd for a while now, but are you really > supposed to have single-tunnel content in hostname.enc0? > > The enc interfaces are not to ipsec what tuns are to say openvpn. It > is more of a looking glass into what ALL ipsec traffic is both in and > out before and after decapsulation, instead of being a > one-enc-per-tunnel, with ips and confs. > > http://www.openbsd.org/faq/faq17.html doesn't seem to mention the > need for any edits of hostname.enc0, does it? > > I appreciate the directions but after defining the exact same rules as in the Tutorial (-> OpenBSD as roadwarrior) I still see the same errors. This time I implemented it in a test environment. Two testmachines: Machine A wants to route all it's traffic through machine B. Machine A (192.168.22.222: $ cat /etc/iked.conf ikev2 'roadwarrior' active esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ peer 192.168.22.110 \ srcid <fqdn-of-a> \ dstid <fqdn-of-b> $ cat /etc/pf.conf match out on enc0 all nat-to 10.0.5.2 Machine B (192.168.22.110) $ cat /etc/iked.conf ikev2 'responder' passive esp \ from 0.0.0.0/0 to 10.0.5.0/24 \ local egress \ peer any \ srcid <fqdn-of-b> \ tag "ROADW" $ cat /etc/pf.conf pass in on egress proto udp from any to 192.168.22.110 port {500, 4500} tag IKED pass in on egress proto esp from any to 192.168.22.110 tag IKED pass on enc0 tagged ROADW match out on egress inet tagged ROADW nat-to egress This time there are no double packets to be seen on the interface. There are still no responses coming back from packets sent over the tunnel Machine B: tcpdump -envps 1500 -i enc0 tcpdump: listening on enc0, link-type ENC 13:53:28.672605 (authentic,confidential): SPI 0xed1617dd: 192.168.22.222 > 192.16 8.22.110: 10.0.5.2.65031 > <public-dns-ip>.53: [udp sum ok] 53436% [1au] A? pool.ntp.org.(41) (ttl 64, id 10351, len 69) (ttl 64, id 24158, len 89) 13:53:31.692533 (authentic,confidential): SPI 0xed1617dd: 192.168.22.222 > 192.16 8.22.110: 10.0.5.2.65530 > <public-ip>.53: [udp sum ok] 25098% [1au] A? pool.nt p.org.(41) (ttl 64, id 37930, len 69) (ttl 64, id 48586, len 89) Thank you. g Stephan
