Hi, I think you need to look at the PF configuration on your setup. My configuration is as follows,
(Not my full pf.conf) # Allow iked pass in quick log on egress proto esp from any to egress label "IKED-ESP" pass in quick log on egress proto udp from any to egress port $iked_ports label "IKED-IN" # Block all block log all # Pass traffic on interface enc0 pass log on enc0 tagged IKED label "IKED-ENC-TAG" # Pass out all pass out Check the PF traffic using tcpdump, "doas tcpdump -n -e -ttt -I pflog0" > On 13 Feb 2020, at 10:07 pm, Shadrock Uhuru <[email protected]> wrote: > > On 13.02.2020 08:43, Robert Paschedag wrote: >> >> sent from my mobile device >> >> Am 12. Februar 2020 15:07:46 schrieb Shadrock Uhuru <[email protected]>: >> >>> hi everyone >>> i have setup iked on my firewall and laptop as a roadwarrior setup >>> following https://www.openbsd.org/faq/faq17.html >>> i.ve tested from within the local network >>> but no flows are started. >>> could someone have a look at the following files to see where i have >>> erred. >> >> Looks like your client cert (pegasus) is missing a subjectAltName. >> >> Robert >> >>> >>> >>> # my iked config method >>> http://paste.openstack.org/show/789464/ >>> >>> imhoptep iked logs (responder) >>> http://paste.openstack.org/show/789465/ >>> >>> pegasus iked logs (initiator) >>> http://paste.openstack.org/show/789466/ >>> >>> thanks shadrock >> >> > > As https://www.openbsd.org/faq/faq17.html does not mention anything > about subjectAltName i've researched across the net and found the following > information :- > > IKEv2 VPN server certificate must contain either the server's IP address > or its FQDN as the subjectAltName, > Roadwarriors usually have dynamic IP addresses assigned by the ISP they are > currently attached to. In order to simplify the routing from my-net > (tissisat.co.uk) back to the roadwarrior (pegasus) it would be desirable if > the roadwarrior had an inner IP address chosen from a pre-assigned pool. > > if this is the way to deal with subjectAltName > what are the steps to achieve this ? > > shadrock
