I’ve been a long time user of OpenBSD, but this is the first time I’m trying to
setup a VPN. I’m not sure what I’m doing wrong, or what should be the next step
to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find.
I need to end up with a configuration that will support several simultaneous
roaming users connecting from anywhere they happen to be.
Client:
macOS 10.15.7
Using builtin VPN client
Server:
OpenBSD 6.6
em1 = 23.X.X.128/29
em0 = 10.0.0.0/16
enc0 = 10.1.0.0.16
>From the client I can connect to 10.0.0.1 but anything outside that network
>traffic slows but does not return:
# --- client: curl -v ipinfo.io/ip ---
* Trying 216.239.36.21:80...
[ never connects ]
# --- server: iked -dv ---
ikev2 "vpn" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.30.51.129
peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1
auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.ipaperbox.com
lifetime 10800 bytes 536870912 psk 0x70617373776f7264 config address 10.1.0.0
config netmask 255.255.0.0 config name-server 10.0.0.1
[--- CLIENT CONNECTS ---]
spi=0x69f90afcc96f7600: recv IKE_SA_INIT req 0 peer 166.X.X.161:62140 local
23.X.X.129:500, 604 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_SA_INIT res 0 peer 166.X.X.161:62140 local
23.X.X.129:500, 432 bytes
spi=0x69f90afcc96f7600: recv IKE_AUTH req 1 peer 166.X.X.161:54501 local
23.X.X.129:4500, 544 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_AUTH res 1 peer 166.X.X.161:54501 local
23.X.X.129:4500, 272 bytes, NAT-T
spi=0x69f90afcc96f7600: sa_state: VALID -> ESTABLISHED from 166.X.X.161:54501
to 23.X.X.129:4500 policy 'vpn'
[--- CLIENT DICONNECT ---]
spi=0x69f90afcc96f7600: recv INFORMATIONAL req 2 peer 166.X.X.161:54501 local
23.X.X.129:4500, 80 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send INFORMATIONAL res 2 peer 166.X.X.161:54501 local
23.X.X.129:4500, 80 bytes, NAT-T
spi=0x69f90afcc96f7600: ikev2_ikesa_recv_delete: received delete
spi=0x69f90afcc96f7600: sa_state: ESTABLISHED -> CLOSED from 166.X.X.161:54501
to 23.X.X.129:4500 policy 'vpn'
# --- server: tcpdump -i em1 -n host ipinfo.io and port 80 ---
tcpdump: listening on em1, link-type EN10MB
03:37:34.210823 10.1.114.47.59349 > 216.239.36.21.80: SWE
3159801057:3159801057(0) win 65535 (DF)
03:37:35.228721 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:36.242039 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:37.254607 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:38.267900 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:39.330256 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:41.345983 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:45.424183 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:53.510541 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:38:10.364579 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
# --- server: tcpdump -i enc0 -n host ipinfo.io and port 80 ---
tcpdump: listening on enc0, link-type ENC
[ no output ]
# --- server: iked.conf ---
# TODO: Change from psk authtication to user-based later.
ikev2 "vpn" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local egress peer any \
srcid vpn..com \
psk "password" \
config address 10.1.0.0/16 \
config netmask 255.255.0.0 \
config name-server 10.0.0.1 \
tag "IKED”
# server: pf.conf ---
doas cat pf.conf.vpn
int_if = "em0"
ext_if = "em1"
ext_net = "23.X.X.128/29"
gateway_ip_ext = "{ 23.X.X.129 }"
gateway_ip_int = "{ 10.0.0.1 }"
set skip on {lo, enc0}
block return# block stateless traffic
pass# establish keep-state
pass out on $ext_if from $int_if:network to any nat-to ($ext_if:0)
# --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} ---
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
net.inet.esp.udpencap=1