Hello, I really need your help. I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows). The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23). Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same.
Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23 I do not know what I am doing wrong. Can anyone please help me with solving this problem? Thank you. This is a fresh 6.3/i386 install: # syspatch -l 001_perl 002_libtls 003_arp 004_gif 005_httpd 006_ipseclen 007_libcrypto 008_ipsecout 009_libcrypto 011_perl 012_execsize 013_ipsecexpire 014_amdlfence 015_ioport WAN: # cat /etc/hostname.vr0 inet A.B.C.77 255.255.254.0 LAN: # cat /etc/hostname.vr3 inet 172.16.0.254 255.255.255.0 NONE group lan # cat /etc/hostname.enc0 inet 10.0.1.1 255.255.255.0 10.0.1.255 up # cat /etc/iked.conf ikev2 "test" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid A.B.C.77 \ config address 10.0.1.0/24 \ config name-server 8.8.8.8 \ tag "IKED" # cat /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id max-mss 1310) match out on egress from lan:network to any nat-to egress match out on egress from enc0:network to any nat-to egress block log all pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types # ikectl show ca vpn certificates subject= /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com SHA1 Fingerprint=37:2F:33:EA:C4:9C:45:0A:80:38:EC:0E:A6:F8:8B:EA:10:84:71:CB notBefore=Oct 25 12:23:53 2018 GMT notAfter=Oct 25 12:23:53 2019 GMT subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com SHA1 Fingerprint=4C:AE:A5:C6:E3:71:81:09:C0:73:BF:03:5F:E2:02:CE:48:BF:03:78 notBefore=Oct 25 12:27:35 2018 GMT notAfter=Oct 25 12:27:35 2019 GMT subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=win7/emailAddress=t...@123.com SHA1 Fingerprint=E2:C1:96:F3:26:0F:CA:CD:49:0A:33:65:58:0E:07:B7:A7:90:D4:18 notBefore=Oct 25 12:32:31 2018 GMT notAfter=Oct 25 12:32:31 2019 GMT subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=w520/emailAddress=w...@123.com SHA1 Fingerprint=00:ED:49:7B:CE:AF:46:25:BE:39:B6:51:AD:3E:06:91:99:58:50:C9 notBefore=Oct 27 08:54:14 2018 GMT notAfter=Oct 27 08:54:14 2019 GMT # iked -vvd ikev2 "test" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local A.B.C.77 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid A.B.C.77 lifetime 10800 bytes 536870912 signature config address 10.0.1.0 config name-server 8.8.8.8 tag "IKED" /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1193 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1193 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 ca_reload: loaded ca file ca.crt config_getsocket: received socket fd 7 config_getmobike: mobike ca_reload: loaded crl file ca.crl ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ca_reload: loaded 1 ca certificate ca_reload: loaded cert file A.B.C.77.crt ca_validate_cert: /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_recv: IKE_SA_INIT request from initiator 1.2.3.119:500 to A.B.C.77:500 policy 'test' id 0, 528 bytes ikev2_recv: ispi 0x683d59d10fbe4a9e rspi 0x0000000000000000 ikev2_policy2id: srcid IPV4/A.B.C.77 length 8 ikev2_pld_parse: header ispi 0x683d59d10fbe4a9e rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x683d59d10fbe4a9e 0x0000000000000000 1.2.3.119:500 ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x683d59d10fbe4a9e 0x0000000000000000 A.B.C.77:500 sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 21 ikev2_sa_negotiate: score 12 ikev2_sa_negotiate: score 17 ikev2_sa_negotiate: score 8 ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 0 sa_stateok: SA_INIT flags 0x0000, require 0x0000 sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) ikev2_sa_keys: DHSECRET with 128 bytes ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 96 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 136 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x683d59d10fbe4a9e 0x4698e736ae5196ac A.B.C.77:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x683d59d10fbe4a9e 0x4698e736ae5196ac 1.2.3.119:500 ikev2_next_payload: length 28 nextpayload CERTREQ ikev2_add_certreq: type X509_CERT length 21 ikev2_next_payload: length 25 nextpayload NONE ikev2_pld_parse: header ispi 0x683d59d10fbe4a9e rspi 0x4698e736ae5196ac nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 329 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 ikev2_msg_send: IKE_SA_INIT response from A.B.C.77:500 to 1.2.3.119:500 msgid 0, 329 bytes config_free_proposals: free 0x7fcc4880 config_free_proposals: free 0x85753900 config_free_proposals: free 0x7fcc03c0 config_free_proposals: free 0x7fcc4080 config_free_proposals: free 0x7fcc4580 config_free_proposals: free 0x825a0a00 Then I get 809 Error. On Wed, 7 Feb 2018 22:01:16 +0100 Radek <alee...@gmail.com> wrote: > Hi again, > > I'm still trying to make it work for roadwarriors. > VPN server has IP address A.B.9.73/23. It is OpenBSD6.1. > > I generated certs: > > # hostname > serv73 > > # ikectl ca vpn create (CN = serv73) > # ikectl ca vpn install > > # ikectl ca vpn certificate A.B.9.73 create > # ikectl ca vpn certificate A.B.9.73 install > > # ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76) > # ikectl ca vpn certificate A.B.9.76 export > > After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP > address that is in range A.B.9.0/23. > > I can't connect from IP that is NOT from A.B.9.0/23. > I tried to connect from many IPs (public and behind NAT) but every time I got > "809 error". > > Can anyone please help me with solving that problem? > > # cat /etc/iked.conf > [snip] > ikev2 "roadWarrior" passive esp \ > from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \ > srcid A.B.9.73 \ > config address 10.0.70.128 \ > tag "$name-$id" > > # iked -n > configuration OK > > # cat /etc.pf.conf > ext_if = "vr0" > lan_if = "vr1" # vr1 > lan_local = $lan_if:network # 10.0.73.0/24 > ext_ip = "A.B.9.73" > bud = "A.B.9.0/25" > rdkhome_wy = "YY.YY.YY.YY" > rdkhome_mon = "XX.XX.XX.XX" > ssh_port = "1071" > icmp_types = "{ echoreq, unreach }" > table <vpn_peers> const { A.B.9.74, A.B.C.75 } > set skip on { lo, enc0 } > block return on $ext_if # block stateless traffic > > match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6) > > pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to > $ext_if port $ssh_port \ > set prio (1, 6) keep state > > pass out quick on egress proto esp from (egress:0) to <vpn_peers> > keep state > pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, > 4500} keep state > pass in quick on egress proto esp from <vpn_peers> to (egress:0) > keep state > pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, > 4500} keep state > pass out quick on trust received-on enc0 keep state > pass out log proto tcp set prio (1, 6) keep state > pass log proto udp set prio (1, 6) keep state > > pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state > pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep > state > > block return in on ! lo0 proto tcp to port 6000:6010 > > > > # iked -dvv > ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500 > policy 'roadWarrior' id 0, 528 bytes > ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x0000000000000000 > ikev2_policy2id: srcid IPV4/A.B.9.73 length 8 > ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x0000000000000000 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 528 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 > ikev2_pld_sa: more than one proposal specified > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 > ikev2_pld_ke: dh group MODP_1024 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0x35e2e7f614678913 0x0000000000000000 > E.F.G.H:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0x35e2e7f614678913 0x0000000000000000 > A.B.9.73:500 > sa_state: INIT -> SA_INIT > ikev2_sa_negotiate: score 21 > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) > ikev2_sa_keys: SKEYSEED with 20 bytes > ikev2_sa_keys: S with 96 bytes > ikev2_prfplus: T1 with 20 bytes > ikev2_prfplus: T2 with 20 bytes > ikev2_prfplus: T3 with 20 bytes > ikev2_prfplus: T4 with 20 bytes > ikev2_prfplus: T5 with 20 bytes > ikev2_prfplus: T6 with 20 bytes > ikev2_prfplus: T7 with 20 bytes > ikev2_prfplus: T8 with 20 bytes > ikev2_prfplus: Tn with 160 bytes > ikev2_sa_keys: SK_d with 20 bytes > ikev2_sa_keys: SK_ai with 20 bytes > ikev2_sa_keys: SK_ar with 20 bytes > ikev2_sa_keys: SK_ei with 24 bytes > ikev2_sa_keys: SK_er with 24 bytes > ikev2_sa_keys: SK_pi with 20 bytes > ikev2_sa_keys: SK_pr with 20 bytes > ikev2_add_proposals: length 40 > ikev2_next_payload: length 44 nextpayload KE > ikev2_next_payload: length 136 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload NOTIFY > ikev2_nat_detection: local source 0x35e2e7f614678913 0x177a4400d017d93f > A.B.9.73:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0x35e2e7f614678913 0x177a4400d017d93f > E.F.G.H:500 > ikev2_next_payload: length 28 nextpayload CERTREQ > ikev2_add_certreq: type X509_CERT length 21 > ikev2_next_payload: length 25 nextpayload NONE > ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x177a4400d017d93f > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length > 325 response 1 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44 > ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 > ikev2_pld_ke: dh group MODP_1024 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25 > ikev2_pld_certreq: type X509_CERT length 20 > ikev2_msg_send: IKE_SA_INIT response from A.B.9.73:500 to E.F.G.H:500 msgid > 0, 325 bytes > config_free_proposals: free 0x8134e000 > > Generating and installing certificate for E.F.G.H doesn't make any change. > > > On Sat, 27 Jan 2018 19:55:46 +0100 > Radek <alee...@gmail.com> wrote: > > > Hello, > > > > I have configured OpenIKED Site-to-Site VPN between two gateways: > > serv73 - OBSD6.1, IP A.B.C.73, > > serv75 - OBSD6.2, IP A.B.C.75. > > I seems to work fine. > > > > I'm trying to set up VPN for a few road warriors in one of these gateways. > > As much as it is possible authorisation should be users's IP independent. > > If I get it right certificate is always binded to cetrain IP so I need to > > use login and password authentication. > > After spending some time with playing around that I can not find the proper > > configutarion. > > I know the reason for that is a lack of certificate (I don't have any idea > > what cert it is) but maybe something else that I have missed or did it > > wrong. > > I have read manuals but not everything is clear for me. > > > > On win7 I got 809 error. > > Client is configured as below: > > https://hide.me/en/vpnsetup/windows7/ikev2/ > > > > Any help appreciated :) > > > > My configs: > > > > [root@@serv75/home/rdk:]iked -dv > > ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 > > policy 'roadwarrior' id 0, 528 bytes > > ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid > > 0, 325 bytes > > ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 > > policy 'roadwarrior' id 1, 764 bytes > > ca_getreq: no valid local certificate found > > ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 > > policy 'roadwarrior' id 1, 764 bytes > > ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 > > policy 'roadwarrior' id 1, 764 bytes > > > > > > root@@serv75/home/rdk:]cat /etc/iked.conf > > remote_gw73 = "A.B.C.73" # serv33 > > remote_lan73 = "10.0.73.0/24" > > local_gw = "10.0.75.254" # serv75 > > local_lan = "10.0.75.0/24" > > dns1 = "8.8.8.8" > > > > ikev2 active esp from $local_gw to $remote_gw73 \ > > from $local_lan to $remote_lan73 peer $remote_gw73 \ > > psk "test123" > > > > user "test" "pass1234" > > ikev2 "roadwarrior" passive esp \ > > from 0.0.0.0/0 to 10.0.75.0/24 \ > > local any peer any \ > > eap "mschap-v2" \ > > config address 10.0.75.123 \ > > config name-server 8.8.8.8 \ > > tag "$name-$id" > > > > [root@@serv75/home/rdk:]cat /etc/pf.conf > > ext_if = "vr0" > > lan_if = "vr1" # vr1 > > lan_local = $lan_if:network # 10.0.75.0/24 > > ext_ip = "A.B.C.75" > > bud = "A.B.C.0/25" > > rdkhome_wy = "YY.YY.YY.YY" > > rdkhome_mon = "XX.XX.XX.XX" > > ssh_port = "1071" > > icmp_types = "{ echoreq, unreach }" > > table <vpn_peers> const { A.B.C.73, A.B.C.74 } > > set skip on { lo, enc0 } > > block return on $ext_if # block stateless traffic > > match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6) > > pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to > > $ext_if port $ssh_port \ > > set prio (1, 6) keep state > > pass out quick on egress proto esp from (egress:0) to <vpn_peers> > > keep state > > pass out quick on egress proto udp from (egress:0) to <vpn_peers> port > > {500, 4500} keep state > > pass in quick on egress proto esp from <vpn_peers> to (egress:0) > > keep state > > pass in quick on egress proto udp from <vpn_peers> to (egress:0) port > > {500, 4500} keep state > > pass out quick on trust received-on enc0 keep state > > pass out log proto tcp set prio (1, 6) keep state > > pass log proto udp set prio (1, 6) keep state > > pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state > > pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) > > keep state > > block return in on ! lo0 proto tcp to port 6000:6010 > > > > [root@@serv75/home/rdk:]cat /etc/hostname.vr0 > > inet A.B.C.75 255.255.254.0 NONE description "WAN75" > > group trust > > > > [root@@serv75/home/rdk:]cat /etc/hostname.vr1 > > inet 10.0.75.254 255.255.255.0 NONE description "LAN75" > > group trust > > > > [root@@serv75/home/rdk:]cat /etc/hostname.enc0 > > up > > > > [root@@serv75/home/rdk:]cat /etc/rc.conf.local > > iked_flags=YES > > ntpd_flags="-s" > > dhcpd_flags="vr1 vr2 vr3" > > > > [root@@serv75/home/rdk:]cat /etc/sysctl.conf > > net.inet.ip.forwarding=1 > > net.inet.ipcomp.enable=1 > > net.inet.esp.enable=1 > > > > > > -- > > radek > > > -- > radek -- radek