Hello, lbld12# uname -a OpenBSD lbld12.duckdns.org 7.3 GENERIC.MP#1130 amd64
Our current vpn uses user/password authentication, mschapv2. so I am trying to use strongswan to connect to my workplace. # ipsec statusall Security Associations (1 up, 0 connecting): qarea[1]: ESTABLISHED 62 minutes ago, 178.151.162.44[edigarov]...185.78.xxx.1[vpn.xxx.org] qarea[1]: IKEv2 SPIs: 62417f797a2ca675_i* 6db16adc7d9f5355_r, EAP reauthentication in 101 minutes qarea[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 qarea{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f07d99fb_i 0ef2e82a_o qarea{2}: AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i, 67604 bytes_o (806 pkts, 18s ago), rekeying in 32 minutes qarea{2}: 192.168.112.215/32 === 192.168.12.0/22 # pfctl -s st |grep 185.78 all udp 178.151.162.44:4500 -> 185.78.235.1:4500 MULTIPLE:MULTIPLE tcpdump on external physical interface: 12:06:56.040573 185.78.xxx.1.4500 > 178.151.162.44.4500: udpencap: esp spi 0xf07d99fb seq 812 len 152 [tos 0x8] 12:06:57.037764 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 0x0ef2e82a seq 812 len 152 12:06:57.044270 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 0xf07d99fb seq 813 len 152 [tos 0x8] 12:06:58.037795 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 0x0ef2e82a seq 813 len 152 12:06:58.044250 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 0xf07d99fb seq 814 len 152 [tos 0x8] 12:06:58.239755 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: isakmp v2.0 exchange INFORMATIONAL cookie: 62417f797a2ca675->6db16adc7d9f5355 msgid: 00000020 len: 160 (DF) [tos 0x8] 12:06:58.240035 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: isakmp v2.0 exchange INFORMATIONAL cookie: 62417f797a2ca675->6db16adc7d9f5355 msgid: 00000020 len: 80 12:06:59.037758 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 0x0ef2e82a seq 814 len 152 12:06:59.044223 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 0xf07d99fb seq 815 len 152 [tos 0x8] 12:07:00.037804 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 0x0ef2e82a seq 815 len 152 12:07:00.044319 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 0xf07d99fb seq 816 len 152 [tos 0x8] 12:07:01.037803 178.151.162.44.4500 > 185.78.235.1.4500: udpencap: esp spi 0x0ef2e82a seq 816 len 152 12:07:01.044248 185.78.235.1.4500 > 178.151.162.44.4500: udpencap: esp spi 0xf07d99fb seq 817 len 152 [tos 0x8] however, on tunnel interface, that is tun1 there are no responses: tcpdump: listening on tun1, link-type LOOP 12:08:53.037668 192.168.112.215 > 192.168.12.49: icmp: echo request 12:08:54.037698 192.168.112.215 > 192.168.12.49: icmp: echo request 12:08:55.037682 192.168.112.215 > 192.168.12.49: icmp: echo request 12:08:56.037679 192.168.112.215 > 192.168.12.49: icmp: echo request 12:08:57.037671 192.168.112.215 > 192.168.12.49: icmp: echo request 12:08:58.037683 192.168.112.215 > 192.168.12.49: icmp: echo request 12:08:59.037677 192.168.112.215 > 192.168.12.49: icmp: echo request 12:09:00.037671 192.168.112.215 > 192.168.12.49: icmp: echo request 12:09:01.037690 192.168.112.215 > 192.168.12.49: icmp: echo request 12:09:02.037678 192.168.112.215 > 192.168.12.49: icmp: echo request 12:09:03.037680 192.168.112.215 > 192.168.12.49: icmp: echo request if I disable pf the picture stays the same. in pf.conf i have: pass out on tun1 from self to any #nat-to (tun1) pass out from self to any pass in on egress proto udp from 185.78.235.1 to (egress) port 4500 # netstat -rn | grep tun1 192.168.12/22 192.168.112.215 US 0 18 - 8 tun1 192.168.112.215 192.168.112.215 UHl 0 1 - 1 tun1 What gives?