I’m building a gateway to encrypt some traffics:
Client —————> Gateway —————> VPN Server —————> Internet
(192.168.1.16) (10.0.0.2)
[Gateway] /etc/iked.conf:
ikev2 quick active ipcomp esp \
from 10.0.0.2 to 0.0.0.0/0 \
local egress peer $vpn_server_ip \
ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519
\
childsa enc chacha20-poly130 group curve25519 \
dstid "asgard.local"
[VPN Server] /etc/iked.conf:
ikev2 quick passive ipcomp esp \
from 0.0.0.0/0 to 10.0.0.2 \
local egress \
ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519
\
childsa enc chacha20-poly130 group curve25519 \
dstid "blackjack.local"
The SA has been established. When I ping 10.0.0.2 on VPN Server and tcpdump on
gateway enc0 I got:
# tcpdump -envps 1500 -i enc0 -l
tcpdump: listening on enc0, link-type ENC
03:48:20.778584 (authentic,confidential): SPI 0x7f27bd3b: $vpn_server_ip >
$gateway_ip: $vpn_server_ip > 10.0.0.2: icmp: echo request (id:4656 seq:0)
[icmp cksum ok] (ttl 255, id 60419, len 84) (ttl 50, id 59144, len 104)
03:48:21.788330 (authentic,confidential): SPI 0x7f27bd3b: $vpn_server_ip >
$gateway_ip: $vpn_server_ip > 10.0.0.2: icmp: echo request (id:4656 seq:1)
[icmp cksum ok] (ttl 255, id 1688, len 84) (ttl 50, id 31496, len 104)
How can I route the packets from the client to the VPN server on the gateway?
When I was using OpenVPN, I did the routing in pf.conf:
pass in quick from 192.168.1.0/24 to !192.168.1.0/24 route-to tun0
pass out quick on tun0 from 192.168.1.0/24 to any nat-to tun0
However, there is no tunnel device created after the SA is established on
OpenBSD. Did I miss something to create it?
Best regards,
Siegfried
