I recently moved from ipsec/npppd to ikev2.
Making the change went easily enough.
However, there is something that I can't seem to figure out.
I am using ikev2/ipsec to create a tunnel between two networks. Each network
faces the internet through a openbsd gateway which gets is public IP via DHCP.
Local Net --> IPSEC GW --> Internet <--
IPSEC GW <-- Remote Net
10.3.0.0/16 10.3.0.20 (int)
192.168.0.1 (int) 192.168.0.0/24
73.208.x.x (public DHCP)
99.23.x.x (public DHCP)
The iked.conf file on each end is relatively simple.
The "local" end:
ikev2 "static_vpn" quick passive ipcomp esp from 10.3.0.0/16 to 192.168.0.0/24
peer 99.23.x.x srcid local.domain.com dstid remote.domain.com
And, on the "remote" end:
ikev2 "static_vpn" active ipcomp esp from 192.168.0.0/24 to 10.3.0.0/16 peer
73.208.x.x srcid remote.domain.com dstid local.domain.com
This works without an issue. The tunnel is created, and all traffic gets
forwarded from the two networks as expected.
I can also contact (ssh) the "remote" IPSEC GW from a client on the "local" net
via the tunnel (i.e. using 192.168.0.1 as the destination).
But, if I try to connect to the "remote" IPSEC GW using its public IP
(99.23.x.x) from a client on the "local" net, there is no connection.
If I take the tunnel down, then I can connect (ssh) to the public IP of the
remote IPSEC GW again.
But, I don't understand why the traffic destined for the public IP of the remote
IPSEC GW is (apparently??) being intercepted by iked.
The way I read the man page, I was under the impression that only traffic for
"192.168.0.0/24" would be encapsulated in the tunnel (using the rules above);
and that traffic destined for the public IP of the "peer" would be ignored by
Is there something I am missing?