> While not an endorsed FAQ or man page from the project, this:
>> http://puffysecurity.com/wiki/openikedoffshore.html should give you a
>> few tips on how to achieve this. The man page (iked.conf) and the
>> references for pf within it should be enough to work it out. But from my
>> observations of your ikev2 configs, you are making it a little more complex
>> than it needs to.
>>
>
>
Hi,
I do have read the puffysecurity website, man pages and all the docs I have
found here and there, still the same problem. I make a more simple example :
I'm able to make it works but the gateway configuration has to know the
laptop network.
For example, the laptop is connected to internet through a network
192.168.100.0/24 (ip 192.168.100.37)
The working configuration is (using now ca, no more psk) :
On the gateway :
distantnet="192.168.100.0/24"
ikev2 "qcvpn" passive ipcomp esp \
from 192.168.0.0/24 to $distantnet \
peer any \
srcid ets.qualitycenter.fr
On the laptop (xxx.xxx.xxx.xxx is my real company external IP) :
localip=egress
ikev2 "qcvpn" active esp \
from $localip to 192.168.0.0/24 \
peer xxx.xxx.xxx.xxx \
srcid boutxy
That's working (can ping 192.168.0.190 for instance or get ssh access) but
the gateway knows I'm using a 192.168.100.0/24 network which is not really
acceptable.
I've tried other configurations like this :
On the gateway :
distantnet="192.168.33.0/24"
ikev2 "qcvpn" passive ipcomp esp \
from 192.168.0.0/24 to $distantnet \
peer any \
srcid ets.qualitycenter.fr \
config address 192.168.33.2 \
config name-server 192.168.0.190
On the laptop :
localip="192.168.33.2 (192.168.100.37)"
ikev2 "qcvpn" active esp \
from $localip to 192.168.0.0/24 \
peer xxx.xxx.xxx.xxx \
srcid boutxy
I got the flows from peer 196.207.241.154 to 192.168.33.0 in both sens and
SAD ok (same as in the working configuration but 192.168.100 is replaced by
192.168.33 which looks like fine to me), but I'm not able to get access to
any distant computer. The laptop pf is as simple as possible :
pass in
match out on enc0 nat-to 192.168.33.2
pass out
on the gateway the same :
pass in quick on enc0
pass out quick on enc0
Any idea?
Regards,
Sebastien
