> On Friday, May 22, 2015 11:56 AM, Yassen Damyanov <yassen_...@yahoo.com> > wrote: > > [Apologies if anyone gets this a second time -- > Sent twice but did not show up in the list] > > 5.7-stable. > Cannot get an ikev2 road warrior setup working for days now. > > Read all relevant stuff but cannot see what I am doing wrong.
> Other people report similar setup working, so it must be my fault. For the record, this appears to work from a location nearer to the ike server, so I guess it is not my fault, rather, some filtering is done on the way maybe, which breaks the negotiations. If anyone has a proposal of what that might be (knowing where the dialog halts, see the 'iked -vv -d' log) -- please let me know, thanks! -Y. > The connection schema follows: > > (Note: 57.57.57.57 is the OBSD-5.7 box ext interface; > 81.81.81.81 is the ext interface of the router the win box > is behind.) > > LAN (10.15.0.0/16) <--> [ obsd 5.7 box (ext if 57.57.57.57) ] <--> > <--> Internet <--> router (81.81.81.81) <--> win 8.1 box > > The win box shows error 809 (remote server is not responding) on > connection attempt. (I never managed to get anything else.) > > > Client is Win8.1 Enterprise (behind nat, should not matter...?) > Connection properties: > -- General | Host name: 57.57.57.57 > -- Security | Type of VPN: IKEv2 > -- Security | Data Encryption: Require Encryption > -- Security | Authentication: use machine certificates > -- Networking | IPv4 (the only thing enabled): > set to IP 10.10.10.7, DNS 8.8.8.8 > > # sysctl net.inet.ip.forwarding=1 > # pfctl -d # only to get ipsec tunnel working; then I'll set it up > > > # cat /etc/iked.conf: > ikev2 "road-warriors" passive esp \ > from 10.15.0.0/16 to 10.10.10.0/24 \ > local 57.57.57.57 peer 0.0.0.0/0 \ > srcid 57.57.57.57 \ > config address 10.10.10.7 > > > Debug log from 'iked -vv -d' shown below. > > Please, help me figure this out. > Any hints or directions are much appreciated! > -Yassen D. > > > P.S. Forgot to mention that the full CA dance has been properly done; > the Win box has the vpn CA cert and key (in Trusted Root Authorities) > and its own client certificate (in Personal) imported successfully.
