On Wed, Aug 23, 2023 at 08:03:34AM +0200, Jiri Navratil wrote: > Hello, > > Thank you for quick and helpful replies. > > Adding line > > set skip on enc0 > > to pf.conf enabled traffic between my sites. > > I see in https://www.openbsd.org/faq/faq17.html > > "Traffic between them should appear after decapsulation on the enc0 > interface, and can be filtered as such." and next line works with VPN > tag, but there are no lines "pass in ... tag VPN" in pf.conf before this > part. Shall that be added to FAQ? I expect, that switch from "set skip on > enc0" to "pass in ... tag VPN" will be better in my case. > > If someone with IPsec experiences will propose changes to FAQ17, then I > also noted: > > In "road warrior" part, there is "We'll assume the public IP for the > client is 203.0.113.2.", but the example uses "any".
I think any is the better choice here. This would allow other clients to connect to the same server (if they have a valid key) which is probably what most people want. > > I think, that word "daemon" is better then "server" here: > > The ikectl(8) utility is used to control the server, Agree > > I want to extend my IKEv2 Site-to-site VPN with road warrior > configuration. If the road warrior part will include few lines about, > how to extend responder to handle both site-to-site and road warrior, it > will be very helpful. Are you thinking of an example with multiple "ikev2 ..." blocks or a comment mentioning that you can have multiple of those in the same config file? Because that is technically all you need. > > Thank you OpenBSD for IPsec and thank you for your support to let me > configure it. > > BR, > Jiří > > -- > Jiri Navratil, https://nocloud.cz >
