I recently moved from ipsec/npppd to ikev2.

Making the change went easily enough.

However, there is  something that I can't seem to figure out.

I am using ikev2/ipsec to create a tunnel between two networks.  Each network
faces the internet through a openbsd gateway which gets is public IP via DHCP.

Local Net       -->     IPSEC GW                -->     Internet        <--
IPSEC GW                        <--     Remote Net    (int) (int)             
                        73.208.x.x (public DHCP)
99.23.x.x (public DHCP)

The iked.conf file on each end is relatively simple.
The "local" end:

ikev2 "static_vpn" quick passive ipcomp esp from to
peer 99.23.x.x srcid local.domain.com dstid remote.domain.com

And, on the "remote" end:

ikev2 "static_vpn" active ipcomp esp from to peer
73.208.x.x srcid remote.domain.com dstid local.domain.com

This works without an issue.  The tunnel is created, and all traffic gets
forwarded from the two networks as expected.

I can also contact (ssh) the "remote" IPSEC GW from a client on the "local" net
via the tunnel (i.e. using as the destination).

But, if I try to connect to the "remote" IPSEC GW using its public IP
(99.23.x.x) from a client on the "local" net, there is no connection.

If I take the tunnel down, then I can connect (ssh) to the public IP of the
remote IPSEC GW again.

But, I don't understand why the traffic destined for the public IP of the remote
IPSEC GW is (apparently??) being intercepted by iked.

The way I read the man page, I was under the impression that only traffic for
"" would be encapsulated in the tunnel (using the rules above);
and that traffic destined for the public IP of the "peer" would be ignored by

Is there something I am missing?


Reply via email to