On Tue, Jul 27, 2021 at 11:18:53AM +0200, Patrick Wildt wrote: > On Tue, Jul 27, 2021 at 09:55:34AM +0200, Claudio Jeker wrote: > > On Tue, Jul 27, 2021 at 07:32:09AM -0000, Stuart Henderson wrote: > > > On 2021-07-27, Vladimir Nikishkin <[email protected]> wrote: > > > > Hello, everyone. > > > > > > > > This is my iked.conf: > > > > > > > > ``` > > > > ikev2 "for-phone" passive esp \ > > > > from any to 10.0.3.2/32 \ > > > > local egress peer any \ > > > ... > > > > dstid phone.mine \ > > > > > > > ikev2 "for-laptop" passive esp \ > > > > from any to 10.0.3.3/32 \ > > > > local egress peer any \ > > > ... > > > > dstid laptop.mine \ > > > > > > Two policies with "peer any" doesn't work. > > > > > > > How to correct the setup? > > > > > > Maybe it's possible by modifying the code, I'm not sure if the > > > id is sent early enough though so it might not be possible. > > > > This is one of the biggest annoyances of iked. It does not even help to > > use different IPs and 'local' to split up the rules. Would love if someone > > would fix this. > > Using differnt IPs for local should work. The trouble is not in iked, > but in the IKEv2 protocol. The IDs are only shared in the second part > of the handshake. So until then, there's no way for the daemon to find > the correct policy, apart from looking at local or peer address. > > That's why the settings for the IKE-SA should be similar across all > policies thate could be valid, and the Child-SA can then (afaik) have > different settings. > > But still, using different IPs for local should work in -current. >
The protocol is tricky but this SHOULD work as long as the policies use different dstids and it does so in my tests. I am not sure what exactly causes it to fail in this particular setup. Some more info such as a verbose log of the handshake and the OpenBSD version would be helpful to figure out what's wrong.
