Hello, I have an IKEv2 VPN server setup with OpenBSD + IKED + PF. Everything is working properly - a single client device will properly route all traffic through the VPN and exit from the VPN server via PF + NAT.
However, I experience errors with two clients simultaneously connecting. Both clients appear to successfully connect, but I believe NAT issues are preventing traffic from leaving the box, or confusing the two client traffic streams during NAT. I’m looking for any clues / suggestions which may help achieve my use case. The internet suggests using unique “from CLIENTIPADDR” clauses for each potential client in /etc/iked.conf - but I can’t tell ahead of time which CIDR ranges my devices will be connecting from (Especially roaming cell phones). Also, in some cases I may have two devices connecting from the same CIDR range. I’m not even sure it’s an IKED issue, rather NAT. Respectfully, David Anthony /etc/pf.conf set skip on lo block return match out on vio0 from 10.0.0.0/24 to any nat-to vio0 pass block return in on ! lo0 proto tcp to port 6000:6010 block return out log proto {tcp udp} user _pbuild /etc/iked.conf ikev2 “inet” esp \ from 0.0.0.0/0 to 10.0.0.0/24 \ peer any \ psk “foobar” \ config address 10.0.0.64/27 \ config name-server 10.0.0.1 \ config protected-subnet 0.0.0.0/0 /etc/hostname.enc0 inet 10.0.0.1 255.255.255.0 10.0.0.255 up /etc/rc.conf.local iked_flags= unbound_flags= /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.esp.enable=1 net.inet.ah.enable=1 net.inet.ipcomp.enable=1