IKEDv2 OpenBSD Roadwarrior

Wed, 30 May 2018 11:40:35 -0700 

still one thing left before i can decalre this bazaar open.
internet via vpn does not work yet. the vpn server is already acting
as router for my home network.
connecting vpn works.
ping each sides via vpn works.
using the vpnservers unbound as nameserver on notebook works.

it seems like the packages reaching enc0 at the server don't go to
egress. here the tcpdump.

server tcpdump

server# tcpdump -i enc0 -o -ttt -vv -e -n
tcpdump: listening on enc0, link-type ENC
May 30 19:57:57.510729 (authentic,confidential): SPI 0x8a035a97:
89.x.x.x.x > 178.x.x.x: 192.168.2.10 > 216.58.214.67: icmp: echo
request (id:121c seq:50) [icmp cksum ok] (ttl 255, id 30160, len 84)
(ttl 50, id 8360, l
en 104)
May 30 19:57:57.510761 (authentic,confidential): SPI 0xc36d724b:
178.x.x.x > 89.x.x.x.x: 192.168.2.10 > 216.58.214.67: icmp: echo
request (id:121c seq:50) [icmp cksum ok] (ttl 254, id 59008, len 84)
(ttl 64, id 62279,
len 104, bad ip cksum 0! -> afe5)
May 30 19:57:58.502468 (authentic,confidential): SPI 0x8a035a97:
89.x.x.x.x > 178.x.x.x: 192.168.2.10 > 216.58.214.67: icmp: echo
request (id:121c seq:51) [icmp cksum ok] (ttl 255, id 17935, len 84)
(ttl 50, id 31161,
len 104)
May 30 19:57:58.502499 (authentic,confidential): SPI 0xc36d724b:
178.x.x.x > 89.x.x.x.x: 192.168.2.10 > 216.58.214.67: icmp: echo
request (id:121c seq:51) [icmp cksum ok] (ttl 254, id 23117, len 84)
(ttl 64, id 13745,
len 104, bad ip cksum 0! -> 6d7c)
May 30 19:57:59.502705 (authentic,confidential): SPI 0x8a035a97:
89.x.x.x.x > 178.x.x.x: 192.168.2.10 > 216.58.214.67: icmp: echo
request (id:121c seq:52) [icmp cksum ok] (ttl 255, id 10110, len 84)
(ttl 50, id 12748,
len 104)

but after that nothing happens. no corresponding traffic on axe0 (egress).
here the relevant part of pf.conf. nothing gets blocked.

match out from 192.168.2.0/24 to (axe0:network) nat-to (axe0)
...
pass in on enc0 inet from 192.168.2.0/24
pass out on enc0
pass out on axe0



iked.conf notebook

ikev2 "VPN HOME" active ipcomp esp inet \
        from 192.168.2.10 to 0.0.0.0/0 \
        from 192.168.2.10 to 192.168.2.1 \
        peer 178.x.x.x \
        psk ""


iked.conf server

ikev2 "VPN HOME" passive ipcomp esp inet \
        from 192.168.2.0/24 to 0.0.0.0/0 \
        from 192.168.2.1 to 192.168.2.0/24 \
        from 192.168.2.1 to 192.168.2.10 \
        local egress peer any \
        srcid egress \
        psk ""



Jan

Reply via email to