Maybe try a more open subnet in the from and to, at least for testing. Something like this - from 0.0.0.0/0 to 0.0.0.0/0
On Mon, Mar 12, 2018 at 6:02 AM, Aaron <[email protected]> wrote: > Hi all, > > I’m having an issue with iked. I’m assuming it something trivial but I > can’t seem to figure it out. I’ve setup an ipsec connection between my home > edge gateway running 6.2 and an instance I setup in the cloud also running > 6.2 > So I’ve got the tunnel established and my home gateway which has multiple > interfaces is reachable. Between the two gateways (my home and the cloud > instance) all the interfaces are reachable, but if from the cloud instance > I try and ping an IP in a subnet behind my home gateway I get no response > and if I try and ping the cloud gateway from one of those subnets I also > get no response. > I’ve ran tcpdump on the enc0 interface on my home gateway while pinging > the cloud instance from one of my internal subnets, I can see the echo > requests AND the replies on the enc0 interface but the replies seem to > disappear at this point. I see no blocks in my firewall log. > > Cloud gateway iked.conf: > ikev2 passive ipcomp esp \ > from 10.0.0.0/8 to cloudIP \ > from cloudIP to 10.0.0.0/8 \ > local cloudIP peer any \ > srcid MYCLOUDFQDN \ > psk "MYPSK" \ > tag IKED > > home gateway iked.conf: > ikev2 active ipcomp esp \ > from 10.0.0.0/8 to cloudIP \ > from cloudIP to 10.0.0.0/8 \ > peer cloudIP \ > srcid MYHOMEFQDN \ > psk MYPSK \ > tag IKED > > I’ve tried “set skip on enc0” > > snippet from my home gateway pf.conf: > pass in quick log on $if_extern inet proto udp from ! <internal> to > $pub_ip0 port $svc_ipsec_portgrp > pass in quick log on $if_extern inet proto esp from ! <internal> to > $pub_ip0 > > pass out log on $if_extern inet proto esp > pass in log on enc0 inet proto ipencap from $cloud_ip to $pub_ip0 keep > state (if-bound) > pass in log on enc0 inet proto {tcp udp icmp} from any to any keep state > (if-bound) tagged IKED tag INTERNAL > pass in log on enc0 inet proto {tcp udp icmp } from any to self > pass out log on enc0 inet from any to <internal> keep state (if-bound) tag > INTERNAL > pass out quick log on enc0 inet from any to $cloud_ip > […] further down […] > pass out tagged INTERNAL > > Any idea what’s going on? > > Sent from my iPhone > >
