Hi, I am trying to get an sit-to-site ipsec tunnel to work with openiked. The configuration seems quite easy, testing also works. The iked.conf is: ikev2 "test" esp \ from 192.168.1.1 to 192.168.3.1 \ from 192.168.1.0/24 to 192.168.3.0/24 \ local 192.168.1.1 peer 192.168.3.1 \ psk thisisjustatest
The other endpoint is the passive one. /sbin/iked -f /etc/iked.conf -dvv just works and shows the connection established. However, rc.conf.local containing iked_flags= just keeps the box hanging: "starting early daemons: syslogd pflogd ntpd iked" and there is no timeout, the box cannot be reached via ssh any more. iked_flags="-v" does not give me any information, iked_flags=YES delivers the same behavior. Do I need some additional configuration in ipsec.conf? "rcctl get iked" shows an "iked_timeout=30", I guess that should be the timeout on startup, but I did not find any exact info on that. ipsec=YES in rc.conf.local does not change anything, and appending "ikelifetime 60" to iked.conf neither. PF is configured to pass everything, nothing else is configured. The network is configured with a bridge0 containing 2 interfaces of which the external one has the (simulated) external ip address and the internal interface has an internal ip addres, both only ipv4. The system is Openbsd 6.0 -stable including the patches until (and including) 006. I am quite sure this is just a minor detail I have overseen, however, I would really appreciate your help! Thanks! infoomatic
