Re: ipsec via iked
> I do have read the puffysecurity website Did you? I struggled with this for a while, too, and found the puffysecurity example, when followed, works. > > For example, the laptop is connected to internet through a network > 192.168.100.0/24 (ip 192.168.100.37) > > The working configuration is (using now ca, no more psk) : > > On the gateway : > distantnet="192.168.100.0/24" > ikev2 "qcvpn" passive ipcomp esp \ > from 192.168.0.0/24 to $distantnet \ > peer any \ > srcid ets.qualitycenter.fr > > I've tried other configurations like this : > > On the gateway : > distantnet="192.168.33.0/24" > ikev2 "qcvpn" passive ipcomp esp \ > from 192.168.0.0/24 to $distantnet \ > peer any \ > srcid ets.qualitycenter.fr \ > config address 192.168.33.2 \ > config name-server 192.168.0.190 > Why do you keep configuring a specific network if that is not what you want to do? Did you try 0.0.0.0/0? > I got the flows from peer 196.207.241.154 to 192.168.33.0 in both sens and > SAD ok (same as in the working configuration but 192.168.100 is replaced > by > 192.168.33 which looks like fine to me), but I'm not able to get access to > any distant computer. The laptop pf is as simple as possible : > pass in > match out on enc0 nat-to 192.168.33.2 > I don't think you're supposed to NAT on the enc0 interface. That's a special internal interface. If you're going out to the internet you have to NAT on the egress interface. Why are you doing NAT on the laptop at all, actually? If you're trying to get the laptop to talk over the VPN tunnel, that's what iked does, you only need to allow VPN ports and protocols through the laptop firewall. I can't get to my working config from where I am now, if I remember, I'll send it along this evening. Tim.
Re: ipsec via iked
> While not an endorsed FAQ or man page from the project, this: >> http://puffysecurity.com/wiki/openikedoffshore.html should give you a >> few tips on how to achieve this. The man page (iked.conf) and the >> references for pf within it should be enough to work it out. But from my >> observations of your ikev2 configs, you are making it a little more complex >> than it needs to. >> > > Hi, I do have read the puffysecurity website, man pages and all the docs I have found here and there, still the same problem. I make a more simple example : I'm able to make it works but the gateway configuration has to know the laptop network. For example, the laptop is connected to internet through a network 192.168.100.0/24 (ip 192.168.100.37) The working configuration is (using now ca, no more psk) : On the gateway : distantnet="192.168.100.0/24" ikev2 "qcvpn" passive ipcomp esp \ from 192.168.0.0/24 to $distantnet \ peer any \ srcid ets.qualitycenter.fr On the laptop (xxx.xxx.xxx.xxx is my real company external IP) : localip=egress ikev2 "qcvpn" active esp \ from $localip to 192.168.0.0/24 \ peer xxx.xxx.xxx.xxx \ srcid boutxy That's working (can ping 192.168.0.190 for instance or get ssh access) but the gateway knows I'm using a 192.168.100.0/24 network which is not really acceptable. I've tried other configurations like this : On the gateway : distantnet="192.168.33.0/24" ikev2 "qcvpn" passive ipcomp esp \ from 192.168.0.0/24 to $distantnet \ peer any \ srcid ets.qualitycenter.fr \ config address 192.168.33.2 \ config name-server 192.168.0.190 On the laptop : localip="192.168.33.2 (192.168.100.37)" ikev2 "qcvpn" active esp \ from $localip to 192.168.0.0/24 \ peer xxx.xxx.xxx.xxx \ srcid boutxy I got the flows from peer 196.207.241.154 to 192.168.33.0 in both sens and SAD ok (same as in the working configuration but 192.168.100 is replaced by 192.168.33 which looks like fine to me), but I'm not able to get access to any distant computer. The laptop pf is as simple as possible : pass in match out on enc0 nat-to 192.168.33.2 pass out on the gateway the same : pass in quick on enc0 pass out quick on enc0 Any idea? Regards, Sebastien
ipsec via iked
Hi, I set up an ipsec VPN via iked. on the server : distantnet="192.168.100.0/24" ikev2 passive ipcomp esp \ from 192.168.0.0/24 to $distantnet \ from 192.168.1.0/24 to $distantnet \ from 192.168.2.0/24 to $distantnet \ from 192.168.4.0/24 to $distantnet \ from 192.168.10.0/24 to $distantnet \ from 192.168.20.0/24 to $distantnet \ from 192.168.21.0/24 to $distantnet \ from 192.168.24.0/24 to $distantnet \ peer any \ psk "my-preshared-key" on my laptop : ikev2 ipcomp esp \ from egress to 192.168.0.0/24 \ from egress to 192.168.1.0/24 \ from egress to 192.168.2.0/24 \ from egress to 192.168.4.0/24 \ from egress to 192.168.10.0/24 \ from egress to 192.168.20.0/24 \ from egress to 192.168.24.0/24 \ peer entrepriseexternalip \ psk "my-preshared-key" The point is that the server has to know my home network (192.168.100.0/24). How to make it works wherever my laptop is? I tried with config address options but can't make it work. Thanks by advance, Sebastien
Re: ipsec via iked
On 3 November 2015 at 03:14, Sébastien Morandwrote: > Hi, > > I set up an ipsec VPN via iked. > > > > The point is that the server has to know my home network (192.168.100.0/24 > ). > How to make it works wherever my laptop is? > > I tried with config address options but can't make it work. > While not an endorsed FAQ or man page from the project, this: http://puffysecurity.com/wiki/openikedoffshore.html should give you a few tips on how to achieve this. The man page (iked.conf) and the references for pf within it should be enough to work it out. But from my observations of your ikev2 configs, you are making it a little more complex than it needs to. Cheers.