> On 26 Feb 2019, at 5:11 AM, William Ahern <will...@25thandclement.com> wrote:
>
> On Mon, Feb 25, 2019 at 03:44:10PM +0000, Michael Lam wrote:
>> Hi,
>>
>> I have a very straight forward setup use case that I want to use my
>> OpenBSD router as a VPN gateway, which will accept IKEv2 road warrior
>> connections from the Internet and route all traffics through my
>> router.
>>
>> I am using a ms-chapv2 authentication and a letsencrypt certificate,
>> which I can successfully obtain. All my clients are Apple devices
>> with latest iOS installed. They normally are connected to the Internet
>> directly without going through this router.
>>
>> Configuration as below:
>>
>> user “a” "123456"
>> user “b” "246810"
>> user “c” "135791"
>>
>> set passive
>>
>> ikev2 "rw" passive esp \
>> from any to 172.20.11.0/24 \
>> local any peer any \
>> srcid my.fqdn.org \
>> eap mschap-v2 \
>> config protected-subnet 172.20.10.0/24 \
>> config address 172.20.11/0/24 \
>> config name-server 172.20.10.1
>>
>> I use “from any” because I want all traffics to be routed to the
>> OpenBSD box. And “to 172.20.11.0/24” is the subnet that I use for
>> VPN allocation. That’s why I also have config address 172.20.11.0/24
>> in the configuration.
>>
>> my.fqdn.org is a public IP address which I’ve obtained a domain name
>> pointing to it.
>>
>> I have this working flawlessly with all the devices individually.
>
> Are you sure things worked flawlessly with "from any". IIRC the "any"
> keyword doesn't work as expected and one must instead use "0.0.0.0/0"
> explicitly. I may be wrong but I'm fairly confident I lost an entire evening
> relearning that lesson not too long ago.
I’ve made several changes during my testing. As far as I can recall it works.
Also tried 0.0.0.0/0.
Also there is a typo for config address - which I’ve made when I copy &
paste into email and modify (so that I won’t expose some of my internal
configuration).
The point is that I cannot make it working with more than 1 client connected
simultaneously. Other than that I’ve a good working configuration and I
have actually used it for a few days until I switched back to IPsec/L2TP now
