Hello, I am struggeling with understanding OpenBSD's implementation of ipsec (v2) fully. So as far as I have wrapped my head around I have understood the following. When a packets destination and origin matches an IPsec flow it is being stolen from iked and passed through the tunnel. It does not hit the routing table. So far correct ? That implies that all the routing that needs to be done for IPsec tunnels to work is happening in iked.conf. Ok. Imagine the following setup. I have got a router and a roadwarrior, both are running openbsd (-release). The router has got 3 subnets next to it's uplink. In my scenario I need the roadwarrior to pass traffic to one client in one of the subnets. Pf is configured to pass traffic on ports 500 and 4500 protocol udp. Further NAT is NOT being applied. Pubkeys are according to the manual exchanged. The tunnel is being established. Only problem is that the traffic doesn't reach the desired destination.
So here a rough markout: (IPs are examples) Router: 192.0.0.1 Target subnet: 10.0.1.0/24 Target machine in subnet: 10.0.1.101/32 Roadwarrior: 172.0.0.1 Corresponding iked.confs: Router iked.conf: ikev2 'road2router' esp \ from 0.0.0.0/0 to 10.0.2.1/32 \ peer 172.0.0.1 local 192.0.0.1 \ srcid roadwarrior.domain.com \ dstid router.domain.com roadwarrior iked.conf: ikev2 'road2router' esp \ from 0.0.0.0/0 to 10.0.2.1/32 \ peer 192.0.0.1 local 172.0.0.1 \ srcid roadwarrior.domain.com \ dstid router.domain.com So .. that is it. I do admit I am slightly confused by the config options in iked.conf. When do I need to configure an IP address for the client in iked with 'config'. Help would be SO much appreciated. Thanks alot for your time. Best regards, Niav
