On 2018-01-29, Stuart Henderson <[email protected]> wrote: > On 2018-01-28, Daniel Ramos <[email protected]> wrote: >> I'm trying to tunnel all internet traffic from my internal network >> (192.168.2.0/24) through another internet-facing machine (10.1.1.0/24) >> using IKEv2. After trying what seems to be every possibility of pf.conf >> and iked.conf combinations, I just can't seem to get it right. My >> closest attempt is to NAT all traffic from 192.168.2.0/24 to appear as >> virtual IP 10.1.1.2 on the other side, which is then NAT'd out to the >> internet as usual. The problem with this config is that ALL traffic, >> including local traffic to 192.168.2.0/24, is tunneled. This is not >> desired because I can no longer access my local gateway (192.168.2.1), >> or any locally hosted services. > > What you need is a "bypass flow", I don't think it can be done from > iked.conf but you can try this in ipsec.conf (adapt addresses as needed): > > flow from 192.168.46.48/28 to 192.168.46.48/28 type bypass > > ipsecctl -f /etc/ipsec.conf to load it at runtime, ipsec=YES in > rc.conf.local to load at boot. > > Please follow-up to confirm whether it works for the archive, I've only > done this combined with IKEv1 but I don't see a reason why it wouldn't work.
PS: might be worth dropping a comment in iked.conf as a reminder that ipsec.conf is also involved in the config.
