On 2020/01/10 12:19, Janne Johansson wrote: > > > > > > There's a tunnel between Server A and Server B. Server A is a standalone > > machine trying to reach over the VPN tunnel to a host (10.0.1.50) that is > > located in a subnet of Server B. Setup is the following: > > $ cat /etc/hostname.enc0 > > > > Haven't done ipsec on obsd for a while now, but are you really supposed to > have single-tunnel content in hostname.enc0? > > The enc interfaces are not to ipsec what tuns are to say openvpn. It is > more of a looking glass into what ALL ipsec traffic is both in and out > before and after decapsulation, instead of being a one-enc-per-tunnel, with > ips and confs. > > http://www.openbsd.org/faq/faq17.html doesn't seem to mention the need for > any edits of hostname.enc0, does it? > > > -- > May the most significant bit of your life be positive.
Correct. IPsec on OpenBSD is entirely flow-based, it does not support route-based config. There should be no address on enc0. The "config protected-subnet" bits are bogus too (first, they are additional to the networks in from/to, second, iked as a client doesn't support any of the address-config payloads).