Hello nice people! Hello there from the Spanish neural control network! I'm setting up a roadwarrior type ikev2 secure connection from .es to .uk.
All go fine but my head that is full of voice to skull. But I'm a unix lover so I go up with my personal, but not only, battle. So I've done some configuration and here you are: 1) RESPONDER: root@ganesha:/etc# cat hostname.enc0 inet 172.16.44.1/32 up root@ganesha:/etc# cat iked.conf set fragmentation ikev2 'vpnc' passive esp \ from 0.0.0.0/0 to 172.16.44.2 \ from 0.0.0.0/0 to 10.1.11.0/24 \ from 0.0.0.0/0 to 10.2.22.0/24 \ from 0.0.0.0/0 to 10.3.30.0/24 \ from 0.0.0.0/0 to 10.3.33.0/24 \ local 78.141.201.0 \ srcid vpnc.telecomlobby.com.fqdn dstid cat-01.telecomlobby.com.fqdn \ tag "$name-$id" root@ganesha:/etc# cat pf.conf #PACKET NORMALIZE match out on enc scrub (max-mss 1360, no-df) #NAT pass out on egress from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \ to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } nat-to (egress) root@ganesha:/etc# Next is the client another little OpenBSD guy with a Raspberry Pi3 with VLAN+PPPOE+IPSEC: root@smigol:/etc# cat pf.conf match out on enc scrub (max-mss 1360 , no-df) match out on pppoe scrub (max-mss 1440 , no-df) root@smigol:/etc# cat iked.conf ikev2 'cat-01' active esp \ from 172.16.44.2 to 0.0.0.0/0 \ from 10.3.30.0/24 to 0.0.0.0/0 \ from 10.1.11.10/24 to 0.0.0.0/0 \ from 10.2.22.0/24 to 0.0.0.0/0 \ from 10.3.33.0/24 to 0.0.0.0/0 \ peer 78.141.201.0 \ srcid cat-01.telecomlobby.com.fqdn dstid vpnc.telecomlobby.com.fqdn\ tag "$name-$id" root@smigol:/etc# cat ipsec.conf flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass flow esp in from {10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} to {10.1.11.31/32 , 10.2.22.31/32 , 10.3.30.31/32 , 10.3.33.31/32 , 172.16.44.2/32 , 192.168.144.1/32} type bypass flow esp out from {10.1.11.31/32 , 10.2.22.31/32 , 10.3.30.31/32 , 10.3.33.31/32 , 172.16.44.2/32 , 192.168.144.1/32} to {10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} type bypass flow from {10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} to { 10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} type bypass root@smigol:/etc# cat hostname.enc0 inet 172.16.44.2/32 up If i sniff traffic over enc0 interface I found a strange error about ip chksum: (DF) (ttl 63, id 43164, len 52) (DF) (ttl 64, id 18753, len 72, bad ip cksum 0! -> c48a) This is the error as you can review. I cannot find solution in Internet and the real think is that in many others post people copy and paste packets and this error is visible but no one think that is in effect an error or do not speak about. I try some value on sysctl but no results. Nice regards and thank you, -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: Canyelles, BCN, EspaƱa PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net