Zé, thank you for your answers! I hope my question didn't offence you; as you remember I asked for help and you kindly offered your configs, which I really appreciate, especially since it seems to be quite a rare setup.
I asked you because I tried to replicate your config with "egress" keyword; iked(8) didn't blame at my modified config, but VPN didn't work this way, I could see the SAs created but with wrong addresses, so it was filtered out by pf. I checked tcpdump ouput, and it showed that pf rewrite didn't happen since I didn't have an interface with the address I rewrite to. So I wondered how it works in your case. And that was a reason for me to setup a loopback interface in order to have what I'd call "consistent though ugly" configiration. By saying "consistent" I mean that I have an IP range specified for RA VPN clients and I can filter it with pf(4). By saying "ugly" I mean I need to have an additional manually assigned loopback interface and to route VPN traffic via this interface. May be I'm doing it all wrong, maybe somebody can shed light on how to do it properly. On 10/04, Zé Loff wrote: > > On 04/10/2016, at 18:48, Pavel Korovin <p...@tristero.se> wrote: > > > > On 10/04, Zé Loff wrote: > >>> On 04/10/2016, at 11:58, Pavel Korovin <p...@tristero.se> wrote: > >>> > >>>> On 10/04, Zé Loff wrote: > >>>> On "the wanderer" iked.conf: > >>>> > >>>> ikev2 home active esp \ > >>>> from egress to 192.168.99.0/24 \ > >>>> local egress peer vpn.example.com \ > >>>> srcid dion.example.com dstid vpn.example.com > >>>> > >>>> On the "wanderer" pf.conf: > >>>> > >>>> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3 > >> static-port > >>> > >>> Zé, do you have an interface with the address 192.168.100.3 on your > >>> wanderer? > >> > >> No > > > > Then how your pf rewrites the address to 192.168.100.3? I believe there > > must be an interface with the address specified in the rewrite rules. > > Otherwise, pf rule won't do anything. > > Did you check "tcpdump -i enc0" output? > > Hey, like I said, it works for me. I don't know enough to give you a proper > answer to that, I just know that it works like this. I could speculate, but it > would probably amount to noise, so I won't. > > Also, like I indicated, adding srcnat to the roaming machine's iked.conf > breaks the setup for me, as the tunnel is established but nothing goes > through. > > > -- > > With best regards, > > Pavel Korovin > -- With best regards, Pavel Korovin
