You don’t have to configure /etc/hostname.enc0, I think. How about remove it and then check if this happen again?
> On Jul 6, 2019, at 3:40 AM, David Anthony <[email protected]> wrote: > > Hello, > > I have an IKEv2 VPN server setup with OpenBSD + IKED + PF. Everything is > working properly - a single client device will properly route all traffic > through the VPN and exit from the VPN server via PF + NAT. > > However, I experience errors with two clients simultaneously connecting. Both > clients appear to successfully connect, but I believe NAT issues are > preventing traffic from leaving the box, or confusing the two client traffic > streams during NAT. I’m looking for any clues / suggestions which may help > achieve my use case. > > The internet suggests using unique “from CLIENTIPADDR” clauses for each > potential client in /etc/iked.conf - but I can’t tell ahead of time which > CIDR ranges my devices will be connecting from (Especially roaming cell > phones). Also, in some cases I may have two devices connecting from the same > CIDR range. I’m not even sure it’s an IKED issue, rather NAT. > > Respectfully, > David Anthony > > /etc/pf.conf > set skip on lo > block return > match out on vio0 from 10.0.0.0/24 to any nat-to vio0 > pass > block return in on ! lo0 proto tcp to port 6000:6010 > block return out log proto {tcp udp} user _pbuild > > /etc/iked.conf > ikev2 “inet” esp \ > from 0.0.0.0/0 to 10.0.0.0/24 \ > peer any \ > psk “foobar” \ > config address 10.0.0.64/27 \ > config name-server 10.0.0.1 \ > config protected-subnet 0.0.0.0/0 > > /etc/hostname.enc0 > inet 10.0.0.1 255.255.255.0 10.0.0.255 > up > > /etc/rc.conf.local > iked_flags= > unbound_flags= > > /etc/sysctl.conf > net.inet.ip.forwarding=1 > net.inet.esp.enable=1 > net.inet.ah.enable=1 > net.inet.ipcomp.enable=1
