Thank you for your response, Following your suggestion I removed IP from enc0 and changed iked.conf as below:
$ cat /etc/iked.conf dns1 = "8.8.8.8" dns2 = "8.8.4.4" ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. I also tried another scenario: puffy_server <-> puffy_warrior The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23. Both machines are 6.3/i386. Confs: puffy_server (just changed /etc/iked.conf and /etc/hostname.enc0 as below, the rest of my previous conf is untached) $ cat /etc/iked.conf # puffy_server ikev2 office passive esp \ from 172.16.0.64 to 0.0.0.0/0 \ from 172.16.0.254 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com" $ cat /etc/hostname.enc0 up puffy_warrior: $ cat /etc/iked.conf # puffy_warrior ikev2 home active esp \ from egress to 172.16.0.0/24 \ local egress peer A.B.C.77 \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com" dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" $ pfctl -s rules pass all flags S/SA This is warrior log, public IP 1.2.3.119: $ iked -dvv set_policy_auth_method: using rfc7427 for peer ikev2 "home" active esp inet from 1.2.3.119 to 172.16.0.0/24 local 1.2.3.119 peer A.B.C.77 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com dstid /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com lifetime 10800 bytes 536870912 rfc7427 /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: loaded crl file ca.crl ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ca_reload: loaded 1 ca certificate ca_reload: loaded cert file puffy63.crt ca_validate_cert: /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: mobike ikev2_init_ike_sa: initiating "home" ca_x509_name_parse: setting 'C' to 'PL' ca_x509_name_parse: setting 'ST' to 'ZK' ca_x509_name_parse: setting 'L' to 'KL' ca_x509_name_parse: setting 'O' to 'PK' ca_x509_name_parse: setting 'OU' to 'test' ca_x509_name_parse: setting 'CN' to 'puffy63' ca_x509_name_parse: setting 'emailAddress' to 'puff...@123.com' ikev2_policy2id: srcid ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com length 123 ikev2_add_proposals: length 108 ikev2_next_payload: length 112 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x64068214f68d9422 0x0000000000000000 1.2.3.119:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x64068214f68d9422 0x0000000000000000 A.B.C.77:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 510 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 112 ikev2_pld_sa: more 0 reserved 0 length 108 proposal #1 protoid IKE spisize 0 xforms 11 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT request from 1.2.3.119:500 to A.B.C.77:500 msgid 0, 510 bytes sa_state: INIT -> SA_INIT ikev2_recv: IKE_SA_INIT response from responder A.B.C.77:500 to 1.2.3.119:500 policy 'home' id 0, 471 bytes ikev2_recv: ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d ikev2_recv: updated SA to peer A.B.C.77:500 local 1.2.3.119:500 ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 471 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x64068214f68d9422 0x84af2c52dcbc294d A.B.C.77:500 ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x64068214f68d9422 0x84af2c52dcbc294d 1.2.3.119:500 ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 ca_x509_name_parse: setting 'C' to 'PL' ca_x509_name_parse: setting 'ST' to 'ZK' ca_x509_name_parse: setting 'L' to 'KL' ca_x509_name_parse: setting 'O' to 'PK' ca_x509_name_parse: setting 'OU' to 'test' ca_x509_name_parse: setting 'CN' to 'puffy63' ca_x509_name_parse: setting 'emailAddress' to 'puff...@123.com' ikev2_policy2id: srcid ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com length 123 sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth) ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth ikev2_sa_keys: DHSECRET with 256 bytes ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_msg_auth: initiator auth data length 574 ca_setauth: using SIG (RFC7427) ca_setauth: auth length 574 sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth config_free_proposals: free 0x79d91600 ca_getreq: found CA /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ca_getreq: found local certificate /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com ca_setauth: auth length 272 ikev2_getimsgdata: imsg 20 rspi 0x84af2c52dcbc294d ispi 0x64068214f68d9422 initiator 1 sa valid type 4 data length 961 ikev2_dispatch_cert: cert type X509_CERT length 961, ok sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth) sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth ikev2_getimsgdata: imsg 25 rspi 0x84af2c52dcbc294d ispi 0x64068214f68d9422 initiator 1 sa valid type 14 data length 272 ikev2_dispatch_cert: AUTH type 14 len 272 sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth) sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth ikev2_next_payload: length 127 nextpayload CERT ikev2_next_payload: length 966 nextpayload CERTREQ ikev2_add_certreq: type X509_CERT length 21 ikev2_next_payload: length 25 nextpayload AUTH ikev2_next_payload: length 280 nextpayload SA pfkey_sa_getspi: spi 0xda769508 pfkey_sa_init: new spi 0xda769508 ikev2_add_proposals: length 80 ikev2_next_payload: length 84 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 24 nextpayload NONE ikev2_msg_encrypt: decrypted length 1530 ikev2_msg_encrypt: padded length 1536 ikev2_msg_encrypt: length 1531, padding 5, output length 1568 ikev2_next_payload: length 1572 nextpayload IDi ikev2_msg_integr: message length 1600 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1600 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1572 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 1536 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 1536/1536 padding 5 ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 127 ikev2_pld_id: id ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com length 123 ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 966 ikev2_pld_cert: type X509_CERT length 961 ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 280 ikev2_pld_auth: method SIG length 272 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #1 protoid ESP spisize 4 xforms 7 spi 0xda769508 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 1.2.3.119 end 1.2.3.119 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 172.16.0.0 end 172.16.0.255 ikev2_msg_send: IKE_AUTH request from 1.2.3.119:500 to A.B.C.77:500 msgid 1, 1600 bytes ikev2_init_ike_sa: "home" is already active $ ipsecctl -sa FLOWS: flow esp out from ::/0 to ::/0 type deny SAD: I really do not know what I am doing wrong. On Wed, 31 Oct 2018 11:50:25 +0100 Kim Zeitler <kim.zeit...@konzept-is.de> wrote: > On 10/28/18 3:04 PM, Radek wrote: > > Hello, > > I really need your help. > > I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road > > warriors clients (Windows). > > The problem is that it works ONLY if clients are in the same subnet as VPN > > Gateway (A.B.C.0/23). > > Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish > > the connection (809 Error). It does not matter if they are behind NAT or > > not, tried different ISP - the same. > > > > Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23 > > > > I do not know what I am doing wrong. > > Can anyone please help me with solving this problem? > > Thank you. > > > > This is a fresh 6.3/i386 install: > > > # cat /etc/hostname.enc0 > > inet 10.0.1.1 255.255.255.0 10.0.1.255 > > up > You don't need an IP on enc0 > > > > > # cat /etc/iked.conf > > ikev2 "test" passive esp \ > > from 0.0.0.0/0 to 0.0.0.0/0 \ > > local A.B.C.77 peer any \ > > srcid A.B.C.77 \ > > config address 10.0.1.0/24 \ > > config name-server 8.8.8.8 \ > > tag "IKED" > > Try something like this, it works for both Win7 and Win10: > > /etc/iked.conf > --------------------------------- > ikev2 "roadWarrior" ipcomp esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \ > peer any \ > srcid $srcid \ > config address 10.0.1.0/24 \ > config netmask 255.255.255.0 \ > config name-server $dns1 \ > config name-server $dns2 \ > config access-server A.B.C.77 \ > config protected-subnet 0.0.0.0/0 \ > tag "$id" > > 'access-server' tells Windows what gateway to use for 'protected-subnet' > (see iked.conf(5)). > > > > > > > > > > > > > > > > -- radek