> I do have read the puffysecurity website Did you? I struggled with this for a while, too, and found the puffysecurity example, when followed, works.
> > For example, the laptop is connected to internet through a network > 192.168.100.0/24 (ip 192.168.100.37) > > The working configuration is (using now ca, no more psk) : > > On the gateway : > distantnet="192.168.100.0/24" > ikev2 "qcvpn" passive ipcomp esp \ > from 192.168.0.0/24 to $distantnet \ > peer any \ > srcid ets.qualitycenter.fr > > I've tried other configurations like this : > > On the gateway : > distantnet="192.168.33.0/24" > ikev2 "qcvpn" passive ipcomp esp \ > from 192.168.0.0/24 to $distantnet \ > peer any \ > srcid ets.qualitycenter.fr \ > config address 192.168.33.2 \ > config name-server 192.168.0.190 > Why do you keep configuring a specific network if that is not what you want to do? Did you try 0.0.0.0/0? > I got the flows from peer 196.207.241.154 to 192.168.33.0 in both sens and > SAD ok (same as in the working configuration but 192.168.100 is replaced > by > 192.168.33 which looks like fine to me), but I'm not able to get access to > any distant computer. The laptop pf is as simple as possible : > pass in > match out on enc0 nat-to 192.168.33.2 > I don't think you're supposed to NAT on the enc0 interface. That's a special internal interface. If you're going out to the internet you have to NAT on the egress interface. Why are you doing NAT on the laptop at all, actually? If you're trying to get the laptop to talk over the VPN tunnel, that's what iked does, you only need to allow VPN ports and protocols through the laptop firewall. I can't get to my working config from where I am now, if I remember, I'll send it along this evening. Tim.
