On Thu, Dec 07 2017, Bernd <be...@kroenchenstadt.de> wrote: > Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas: >> On Wed, Dec 06 2017, Bernd <be...@kroenchenstadt.de> wrote:
[...] >>> As a result, the IPSec tunnel can not be established. What did >>> I overlook here? >> >> Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph >> 4 of >> DESCRIPTION. > > Hi, > > ipsec=YES is set in rc.conf.local: > > # cat /etc/rc.conf.local > isakmpd_flags="-K" > ipsec=YES # IPsec OK, then let's go back to your config: did you test it for validity? ritchie ~$ cat /tmp/ipsec.conf ike esp from any to any peer 192.0.2.1/27 \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ psk "myverygoodsecretPSK" ritchie ~$ ipsecctl -nvf /tmp/ipsec.conf /tmp/ipsec.conf: 1: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded ritchie ~$ Drop the /27 and ipsecctl(8) is happy. It seems weird to specify a netmask as a "peer", maybe you should reconsider what you're using "peer" for. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE