I have working IKEv2 VPN between both OpenBSD 6.6 server and 6.6 client
which connects to server from behind ISP NAT. My configuration is very
close to FAQ with OpenBSD Client connection behind ISP NAT to a server:
https://www.openbsd.org/faq/faq17.html#clientikev2
When VPN is disconnected, NAT on egress works as should be for client
itself and LAN hosts connected to the client using pf.conf second NAT rule:
...
match out log on enc0 inet all nat-to 10.0.5.2 tagged WEB
match out log on egress from 192.168.2.0/24 to any nat-to (egress)
tagged WEB
...
Once VPN is connected, NAT works for client itself only, and no NAT for
client's LAN connected hosts on enc0 using first rule above.
For instance, there is no NAT on enc0 from VMM host 192.168.2.4 from
virtual LAN 192.168.2.0/24. The same is for physical LAN connected hosts
to client machine.
$ telnet 172.217.21.142 80 (from LAN VMM host 192.168.2.4)
tcpdump -en -i pflog0
13.29.33.694116 rule 4/(match) match out on enc0: 10.0.5.2.64401 >
172.217.21.142.80 S 3601041753:3601041753(0) win 64240 <mss
1440,sackOK,timestamp 295653344 0,nop,wscale 7> [tos 0x10]
13.29.33.694116 rule 135/(match) match out on enc0: 10.0.5.2.64401 >
172.217.21.142.80 S 3601041753:3601041753(0) win 64240 <mss
1440,sackOK,timestamp 295653344 0,nop,wscale 7> [tos 0x10]
13.29.34.316393 rule 4/(match) match out on enc0: 10.0.5.2.50426 >
192.168.2.4.59062 S 880722202:880722202(0) ack 3601041754 win 60192 <mss
1380,sackOK,timestamp 709481652 2965653344,nop,wscale 8>
13.29.34.625518 rule 4/(match) match out on enc0: 10.0.5.2.54501 >
192.168.2.4.59062 S 880722202:880722202(0) ack 3601041754 win 60192 <mss
1380,sackOK,timestamp 709481953 2965653344,nop,wscale 8>
Initiator's VMM LAN SA bypassed in /etc/ipsec.conf in all directions
flow from 192.168.2.0/24 to 192.168.2.0/24 type bypass
flow from 127.0.0.1/32 to 192.168.2.0/24 type bypass
flow from 192.168.2.0/24 to 127.0.0.1/32 type bypass
responder /etc/iked.conf
ikev2 'responder' passive esp \
from 0.0.0.0/0 to 10.0.5.0/24 \
local 9.8.7.6 peer any \
srcid srv.vpn \
tag "ROADW"
initiator /etc/iked.conf
ikev2 'initiator' active esp \
from 10.0.5.2 (0.0.0.0/0) to 0.0.0.0/0 \ => to have traffic
appears for LAN hosts from 10.0.5.2 as in IPSEC.CONF(5) for NAT
configurations
peer 9.8.7.6 \
srcid clnt.vpn \
dstid srv.vpn
/etc/pf.conf (client)
...
match out log on enc0 inet all nat-to 10.0.5.2 tagged WEB
...
pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state
(if-bound) tagged WEB
...
pass in on 192.168.2.1 inet proto tcp from 192.168.2.0/24 to any port
{www, https} flags S/SA modulate state tag WEB
