Zé, thank you for your detailed reply!
I put some comments in your message below.
On 10/04, Zé Loff wrote:
> If you mean OpenBSD "at the office" and OpenBSD on a roaming laptop,
> this works for me (tm):
>
> "At the office" iked.conf:
>
> ikev2 dion passive esp \
> from 192.168.99.0/24 to 192.168.100.3 \
> local 192.168.99.1 peer any \
> srcid vpn.example.com dstid dion.example.com
My config is similar:
ikev2 passive ipcomp esp \
from 192.168.240.0/21 to 192.168.248.0/24 \
local <my-real-ip> peer any \
srcid <my-real-ip>
tag "$id"
> On "the wanderer" iked.conf:
> ikev2 home active esp \
> from egress to 192.168.99.0/24 \
^^^^^^^^^^^
A-ha. Didn't know it's possible and AFAIK it's undocumented
> local egress peer vpn.example.com \
> srcid dion.example.com dstid vpn.example.com
My wanderer iked.conf:
ikev2 active ipcomp esp \
from 192.168.248.231 to 192.168.240.0/21 \
peer <my-real-ip> \
srcid client.my.vpn
> On the "wanderer" pf.conf:
>
> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3 static-port
My /etc/pf.conf config:
match out on enc0 to 192.168.240/21 nat-to 192.168.248.231
I was concerned about client's dynamic IP and to deal with the issue I
created loopback interface and set up route to LAN behind VPN via this
interface:
/etc/hostname.iwn0
!ifconfig lo248 inet 192.168.248.231 255.255.255.255 mtu 1400 up
route add -net 192.168.240.0/21 192.168.248.231 -mtu 1400
I'll try to get rid of this lo248 interface and see if it works for me,
thanks!
--
With best regards,
Pavel Korovin
