Hello,
I have an IKEv2 VPN server setup with OpenBSD + IKED + PF. Everything is
working properly - a single client device will properly route all traffic
through the VPN and exit from the VPN server via PF + NAT.
However, I experience errors with two clients simultaneously connecting. Both
clients appear to successfully connect, but I believe NAT issues are preventing
traffic from leaving the box, or confusing the two client traffic streams
during NAT. I’m looking for any clues / suggestions which may help achieve my
use case.
The internet suggests using unique “from CLIENTIPADDR” clauses for each
potential client in /etc/iked.conf - but I can’t tell ahead of time which CIDR
ranges my devices will be connecting from (Especially roaming cell phones).
Also, in some cases I may have two devices connecting from the same CIDR range.
I’m not even sure it’s an IKED issue, rather NAT.
Respectfully,
David Anthony
/etc/pf.conf
set skip on lo
block return
match out on vio0 from 10.0.0.0/24 to any nat-to vio0
pass
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
/etc/iked.conf
ikev2 “inet” esp \
from 0.0.0.0/0 to 10.0.0.0/24 \
peer any \
psk “foobar” \
config address 10.0.0.64/27 \
config name-server 10.0.0.1 \
config protected-subnet 0.0.0.0/0
/etc/hostname.enc0
inet 10.0.0.1 255.255.255.0 10.0.0.255
up
/etc/rc.conf.local
iked_flags=
unbound_flags=
/etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.esp.enable=1
net.inet.ah.enable=1
net.inet.ipcomp.enable=1
