> I'm not sure about that bge0 rule. iked.conf(5) mentions ipencap only > in the context of enc interfaces. > You could try adding 'set skip on enc0' to find out if pf is the problem.
That rule has been the same for some years now, without problem. I tried adding set skip on enc0, but the problem persists. > If that doesn't help you could share the output of 'ipsecctl -sa' to find > out if the IPsec SAs or flows are the problem. That may be the problem, there is nothing between 192.168.1.109 and 192.168.9.101 : (192.168.8.2 is the firewall interface that 192.168.1.109 is connecting to, 192.168.9.101 is what the vpn client is trying to communicate with) # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x0e7b0e8b auth hmac-sha1 enc aes-256 esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6830eab4 auth hmac-sha1 enc aes-256
