On Wed, Jul 07, 2021 at 12:11:36PM +0800, Vladimir Nikishkin wrote:
> I had a very similar problem with the kernel panic.
>
> I had the following iked.conf
>
> ikev2 "ike-2021-07-02" passive esp \
> from any to 10.0.3.0/24 \
> local egress peer any \
> eap "mschap-v2" \
> config address 10.0.3.2 \
> config name-server 8.8.8.8 \
> tag "ROADW" \
> tap "enc1"
>
> the following in the /etc/hostname.enc1
>
> inet 10.0.3.1 255.255.255.0
> #!ifconfig enc1 mtu 1380
>
> and the following in pf.conf
>
> pass in quick on egress proto udp from any to (egress:network) port
> {isakmp, ipsec-nat-t} keep state tag IKED
> pass in quick on egress proto esp from any to (egress:network) tag IKED
> pass log on enc1 tagged ROADW keep state
>
>
> and routing would look like
>
> 10.0.3/24 10.0.3.1 UGS 1 77304 32768 8
> enc1
> 10.0.3.1 10.0.3.1 UHhl 1 10 32768 1
> enc1
>
>
> This all seemed to make sense, the interface "enc1" is the one connected
> to the "Virtual Network".
>
> Now that I have to change enc1 to lo1, but how do I tell the ipsec
> subsystem that the "lo1" is connected to the "Virtual Network"? (i.e.
> that the packets send by the peer should appear to have arrived to lo1,
> not some other interface)
>
> Shall I have
>
> ```
> tap "enc1"
> iface "lo1"
> ```
> ?
Delete hostname.enc1 and assign your internal IP to lo1 instead.
Your iked.conf is fine, the "iface lo1" option is only needed for roadwarrior
clients where iked automatically configures the IP address.
>
> But man iked.conf only mentions "requested" addresses with respect to
> the iface option.
>
