On Sun, Jun 21, 2020 at 12:11 PM Patrick Wildt <patr...@blueri.se> wrote:
> If you want to use a specific address for a policy, you can use the
> "local" keyword to specify it. This is part of the policy, not a global
> option.
>
> Then iked(8) continues to losten on 0.0.0.0:500, but the policy will
> only match if the IP address match to the one specified as "local".
My config is basically:
Remote:
=======================
local_gw="a.b.c.164"
local_net="172.20.28.0/23"
server_gw="x.y.z.45"
server_net="172.26.62.0/23"
state="active"
ikev2 'remote_rsa' $state esp \
from $local_net to $server_net \
local $local_gw peer $server_gw \
dstid server.example.com
=======================
Server:
=======================
local_gw="x.y.z.45"
local_net="172.26.62.0/23"
remote_gw="a.b.c.164"
remote_net="172.20.28.0/23"
state="passive"
ikev2 'server_rsa' $state esp \
from $local_net to $remote_net \
local $local_gw peer $remote_gw \
srcid server.example.com
=======================
Both outside nets are /29's and the .164 and .45 are aliases, with
.161 and .41 being the main address. However in trouble shooting I
kept seeing information moving on the main addresses and my pf.conf
rules were configured for the alias addresses.
Being new to ikev2 setup I may have this all wrong.
Thanks!
