On 2020-06-21, Sonic <sonicsm...@gmail.com> wrote: > On Sun, Jun 21, 2020 at 12:11 PM Patrick Wildt <patr...@blueri.se> wrote: >> If you want to use a specific address for a policy, you can use the >> "local" keyword to specify it. This is part of the policy, not a global >> option. >> >> Then iked(8) continues to losten on 0.0.0.0:500, but the policy will >> only match if the IP address match to the one specified as "local".
IIRC "local" isn't enough, some packets are still sent on the bound 0.0.0.0, the kernel chooses the source address (based on the local interface address in the route to the destination) and it can be the wrong address for the other side. It's been a while since I tried and I don't remember which packets were involved. > My config is basically: > Remote: >======================= > local_gw="a.b.c.164" > local_net="172.20.28.0/23" > server_gw="x.y.z.45" > server_net="172.26.62.0/23" > state="active" > > ikev2 'remote_rsa' $state esp \ > from $local_net to $server_net \ > local $local_gw peer $server_gw \ > dstid server.example.com >======================= > Server: >======================= > local_gw="x.y.z.45" > local_net="172.26.62.0/23" > remote_gw="a.b.c.164" > remote_net="172.20.28.0/23" > state="passive" > > ikev2 'server_rsa' $state esp \ > from $local_net to $remote_net \ > local $local_gw peer $remote_gw \ > srcid server.example.com >======================= > > Both outside nets are /29's and the .164 and .45 are aliases, with > .161 and .41 being the main address. However in trouble shooting I > kept seeing information moving on the main addresses and my pf.conf > rules were configured for the alias addresses. > > Being new to ikev2 setup I may have this all wrong. > > Thanks! > > phessler ran into this as well. He was able to work around it by forcing it to use the correct source address by adding an -ifa route. I'm not sure exactly the order you'll need but try some things along these lines: route add -host x.y.z.45 $gateway -ifa a.b.c.164 This is one of various reasons why I stick with isakmpd/ikev1 for lan-to-lan tunnels and just use ikev2 for single-host clients.
