I’ve been a long time user of OpenBSD, but this is the first time I’m trying to setup a VPN. I’m not sure what I’m doing wrong, or what should be the next step to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find.
I need to end up with a configuration that will support several simultaneous roaming users connecting from anywhere they happen to be. Client: macOS 10.15.7 Using builtin VPN client Server: OpenBSD 6.6 em1 = 23.X.X.128/29 em0 = 10.0.0.0/16 enc0 = 10.1.0.0.16 >From the client I can connect to 10.0.0.1 but anything outside that network >traffic slows but does not return: # --- client: curl -v ipinfo.io/ip --- * Trying 216.239.36.21:80... [ never connects ] # --- server: iked -dv --- ikev2 "vpn" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.30.51.129 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.ipaperbox.com lifetime 10800 bytes 536870912 psk 0x70617373776f7264 config address 10.1.0.0 config netmask 255.255.0.0 config name-server 10.0.0.1 [--- CLIENT CONNECTS ---] spi=0x69f90afcc96f7600: recv IKE_SA_INIT req 0 peer 166.X.X.161:62140 local 23.X.X.129:500, 604 bytes, policy 'vpn' spi=0x69f90afcc96f7600: send IKE_SA_INIT res 0 peer 166.X.X.161:62140 local 23.X.X.129:500, 432 bytes spi=0x69f90afcc96f7600: recv IKE_AUTH req 1 peer 166.X.X.161:54501 local 23.X.X.129:4500, 544 bytes, policy 'vpn' spi=0x69f90afcc96f7600: send IKE_AUTH res 1 peer 166.X.X.161:54501 local 23.X.X.129:4500, 272 bytes, NAT-T spi=0x69f90afcc96f7600: sa_state: VALID -> ESTABLISHED from 166.X.X.161:54501 to 23.X.X.129:4500 policy 'vpn' [--- CLIENT DICONNECT ---] spi=0x69f90afcc96f7600: recv INFORMATIONAL req 2 peer 166.X.X.161:54501 local 23.X.X.129:4500, 80 bytes, policy 'vpn' spi=0x69f90afcc96f7600: send INFORMATIONAL res 2 peer 166.X.X.161:54501 local 23.X.X.129:4500, 80 bytes, NAT-T spi=0x69f90afcc96f7600: ikev2_ikesa_recv_delete: received delete spi=0x69f90afcc96f7600: sa_state: ESTABLISHED -> CLOSED from 166.X.X.161:54501 to 23.X.X.129:4500 policy 'vpn' # --- server: tcpdump -i em1 -n host ipinfo.io and port 80 --- tcpdump: listening on em1, link-type EN10MB 03:37:34.210823 10.1.114.47.59349 > 216.239.36.21.80: SWE 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408271831 0,sackOK,eol> (DF) 03:37:35.228721 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408272831 0,sackOK,eol> (DF) 03:37:36.242039 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408273831 0,sackOK,eol> (DF) 03:37:37.254607 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408274831 0,sackOK,eol> (DF) 03:37:38.267900 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408275831 0,sackOK,eol> (DF) 03:37:39.330256 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408276831 0,sackOK,eol> (DF) 03:37:41.345983 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408278831 0,sackOK,eol> (DF) 03:37:45.424183 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408282832 0,sackOK,eol> (DF) 03:37:53.510541 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408290832 0,sackOK,eol> (DF) 03:38:10.364579 10.1.114.47.59349 > 216.239.36.21.80: S 3159801057:3159801057(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 408306832 0,sackOK,eol> (DF) # --- server: tcpdump -i enc0 -n host ipinfo.io and port 80 --- tcpdump: listening on enc0, link-type ENC [ no output ] # --- server: iked.conf --- # TODO: Change from psk authtication to user-based later. ikev2 "vpn" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local egress peer any \ srcid vpn.<server>.com \ psk "password" \ config address 10.1.0.0/16 \ config netmask 255.255.0.0 \ config name-server 10.0.0.1 \ tag "IKED” # ---- server: pf.conf --- doas cat pf.conf.vpn int_if = "em0" ext_if = "em1" ext_net = "23.X.X.128/29" gateway_ip_ext = "{ 23.X.X.129 }" gateway_ip_int = "{ 10.0.0.1 }" set skip on {lo, enc0} block return # block stateless traffic pass # establish keep-state pass out on $ext_if from $int_if:network to any nat-to ($ext_if:0) # --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} --- net.inet.ipcomp.enable=1 net.inet.esp.enable=1 net.inet.esp.udpencap=1