I hope someone here can shed light on an infuriating problem I’ve spent a week trying to resolve without luck.
The problem concerns an IKED site-to-site VPN on OpenBSD 6.3 (both endpoints fully syspatched). The VPN worked absolutely perfectly until it suddenly started behaving strangely. Seriously, I’m talking about “pass any traffic you can think of”, then I go on holiday for a week (nobody else has physical or remote access to the machines, and I did not connect on holiday), then this behaviour starts. Basically the behaviour I am seeing is that anything that uses TLS is no longer able to connect (or at least gets no further than trying to do a TLS handshake, e.g. Firefox hangs showing "performing TLS handshake..." at the bottom of the screen), so that means: - HTTPS websites - VoIP - IMAP over TLS - RDP over TLS Are all broken on the VPN, but all TLS-based services continue to work perfectly off-site (or when the site-to-site VPN is bypassed with a third-party VPN). This impacts multiple servers and multiple clients, so its not just one server or one desktop PC, its anything that tries to talk TLS over that VPN ! However: - Ping (including large packet size, e.g. “-s 1600”) - SSH - DNS - Anything else you care to name that doesn’t use TLS All continue to work perfectly over the VPN. My PF rules (which cannot possibly be the problem, because they have not changed a single bit between “working” and “not working) don’t even differentiate between traffic types, so it can’t be some sudden PF oddity : pass in on enc from <remote_vpnets> to <local_vpnets> keep state (if-bound) $midPriority pass out on enc from <ocal_vpnets> to <remote_vpnets> keep state (if-bound) $midPriority Similarly, my IKED config is also completely unchanged between "working" and "not working", and ipsecctl -sa continues to show everything correctly established ikev2 "to remote" active esp from $a_net to $b_net\ local $local_ext peer $remote_ext \ ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519 \ childsa enc chacha20-poly1305 group curve25519 \ srcid $local_ext dstid $remote_ext \ ikelifetime 4h lifetime 3h bytes 512M \ ecdsa384 This whole thing is just driving me crazy !