Hello misc@, I am working on setting up site to site ipsec VPN between a few locations all with openbsd 5.6 stable "gateways" at them using iked. Since I've never done any of this before I am starting with a basic host to host setup using pre shared keys in my lab. I am running into an issue where the flows are only getting created on one end of the setup. Here are the details:
HOST 1: ip address 172.16.204.139 iked.conf: ikev2 "test" active esp from 172.16.204.139 to 172.16.204.140 psk "test" HOST 2: ip address 172.16.204.139 iked.conf: ikev2 "test" esp from 172.15.204.140 to 172.16.204.139 psk "test" I then run /etc/rc.d/iked -f start on host 2. followed by the same command on host 1. after a few seconds I execute the ipsecctl -s all command on each host. on host 1 the out put is: FLOWS: flow esp out from ::/0 to ::/0 type deny SAD: No entries While on host 2 the output is: FLOWS: flow esp in from 172.16.204.139 to 172.16.204.140 peer 172.16.204.139 srcid FQDN/gwb.localdomain dstid FQDN/gwa.localdomain type use flow esp out from 172.16.204.140 to 172.16.204.139 peer 172.16.204.139 srcid FQDN/gwb.localdomain dstid FQDN/gwa.localdomain type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 172.16.204.139 to 172.16.204.140 spi 0x0982384f auth hmac-sha2-256 enc aes-256 esp tunnel from 172.16.204.140 to 172.16.204.139 spi 0x78b6bb97 auth hmac-sha2-256 enc aes-256 If I reverse which host is the "active" the results flip flop. That is the flows are always created on the "passive" side. I expect similar flows should be created on each side or am I missing something completely here? Can someone please point me in the right direction? Also I can include a dmeag if needed. Thanks, -- Joshua Smith Montani Semper Liberi
