Hello Kim, > Could you post your pf.conf? My VPN_server's(A.B.C.77/23) pf.conf is:
(1) $ cat /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id max-mss 1310) match out on egress from lan:network to any nat-to egress #match out on egress from enc0:network to any nat-to egress block log all pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types I also tested my setup with this: (2) $ pfctl -s rules pass all flags S/SA and this: (3) $ pfctl -d pfctl: pf not enabled For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server. > How do you connect to networks !A.B.C.0/23 > Is your IPSec connection NATed? !A.B.C.0/23 I mean: A.B.F.0/24 - tested both: public IP and behind router/NAT, warrior: Win7_warrior 1.2.3.119 - tested both: public IP and behind router/NAT, warrior: Win7_warrior and puffy_warrior GSM network - only NATed connections, warrior: Win7_warrior Some tcpdumps of attempts to connect to VPN_server(pass all flags S/SA): ### Win7_warrior, behind NAT: $ tcpdump -i vr0 -n host 1.2.3.119 tcpdump: listening on vr0, link-type EN10MB 18:32:12.794944 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 87afea67c2d6ce65->0000000000000000 msgid: 00000000 len: 528 18:32:13.002417 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 87afea67c2d6ce65->8da1daeaa81e51b2 msgid: 00000000 len: 329 ^C 811 packets received by filter 0 packets dropped by kernel ### Win7_warrior, public IP $ tcpdump -i vr0 -n host 1.2.3.119 tcpdump: listening on vr0, link-type EN10MB 18:51:25.446238 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 06d0dd81ba2f129d->0000000000000000 msgid: 00000000 len: 528 18:51:25.654428 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 06d0dd81ba2f129d->3e3cf1b1a7a5a3b8 msgid: 00000000 len: 329 ^C 292 packets received by filter 0 packets dropped by kernel ### puffy_warrior (pfctl -d), behind NAT $ tcpdump -i vr0 -n host 1.2.3.119 tcpdump: listening on vr0, link-type EN10MB 18:45:33.600661 A.B.C.77.22 > 1.2.3.119.49486: . ack 2747766535 win 273 (DF) 18:45:40.562967 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 64755be010cd32d2->0000000000000000 msgid: 00000000 len: 510 18:45:41.927874 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 64755be010cd32d2->2a0fe33c6b9afff8 msgid: 00000000 len: 471 Thanks! On Mon, 5 Nov 2018 09:27:25 +0100 Kim Zeitler <kim.zeit...@konzept-is.de> wrote: > Hello Radek, > > > On 11/2/18 10:16 PM, Radek wrote: > > Thank you for your response, > > > > Following your suggestion I removed IP from enc0 and changed iked.conf as > > below: > > > > $ cat /etc/iked.conf > > dns1 = "8.8.8.8" > > dns2 = "8.8.4.4" > > ikev2 "roadWarrior" ipcomp esp \ > > from 0.0.0.0/0 to 0.0.0.0/0 \ > > local A.B.C.77 peer any \ > > srcid > > "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ > > config address 10.0.1.0/24 \ > > config netmask 255.255.255.0 \ > > config name-server $dns1 \ > > config name-server $dns2 \ > > config access-server A.B.C.77 \ > > config protected-subnet 0.0.0.0/0 \ > > tag "$id" > > > > It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. > I know this set-up to be working, as it is currently running here in > production. > > > > > > I also tried another scenario: puffy_server <-> puffy_warrior > > The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN > > works fine for clients from A.B.C.0/23. > > Both machines are 6.3/i386. > Your set-up is still a bit 'unclear', I would rather say you have a > firewall/routing problem than an IPSec problem. Error 809 means no data > received. > > Could you post your pf.conf? > How do you connect to networks !A.B.C.0/23 > Is your IPSec connection NATed? > > Cheers > Kim > -- radek