On Mon, May 31, 2021 at 12:20:29PM +0000, Leclerc, Sebastien wrote: > > I'm not sure about that bge0 rule. iked.conf(5) mentions ipencap only > > in the context of enc interfaces. > > You could try adding 'set skip on enc0' to find out if pf is the problem. > > That rule has been the same for some years now, without problem. I tried > adding set skip on enc0, but the problem persists. > > > If that doesn't help you could share the output of 'ipsecctl -sa' to find > > out if the IPsec SAs or flows are the problem. > > That may be the problem, there is nothing between 192.168.1.109 and > 192.168.9.101 : > (192.168.8.2 is the firewall interface that 192.168.1.109 is connecting to, > 192.168.9.101 is what the vpn client is trying to communicate with) > > # ipsecctl -sa > FLOWS: > No flows > > SAD: > esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x0e7b0e8b auth hmac-sha1 > enc aes-256 > esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6830eab4 auth hmac-sha1 > enc aes-256
Ok, so this seems to be the cause. From your log snippet i can see that there must have been SAs at some point because it shows an "ikev2_childsa_enable" line. Try running iked with -vv. Maybe the verbose log contains an error message that helps us find out what's wrong.