On Sun, Jun 21, 2020 at 04:33:14PM -0400, Sonic wrote: > On Sun, Jun 21, 2020 at 12:11 PM Patrick Wildt <patr...@blueri.se> wrote: > > If you want to use a specific address for a policy, you can use the > > "local" keyword to specify it. This is part of the policy, not a global > > option. > > > > Then iked(8) continues to losten on 0.0.0.0:500, but the policy will > > only match if the IP address match to the one specified as "local". > > My config is basically: > Remote: > ======================= > local_gw="a.b.c.164" > local_net="172.20.28.0/23" > server_gw="x.y.z.45" > server_net="172.26.62.0/23" > state="active" > > ikev2 'remote_rsa' $state esp \ > from $local_net to $server_net \ > local $local_gw peer $server_gw \ > dstid server.example.com > ======================= > Server: > ======================= > local_gw="x.y.z.45" > local_net="172.26.62.0/23" > remote_gw="a.b.c.164" > remote_net="172.20.28.0/23" > state="passive" > > ikev2 'server_rsa' $state esp \ > from $local_net to $remote_net \ > local $local_gw peer $remote_gw \ > srcid server.example.com > ======================= > > Both outside nets are /29's and the .164 and .45 are aliases, with > .161 and .41 being the main address. However in trouble shooting I > kept seeing information moving on the main addresses and my pf.conf > rules were configured for the alias addresses. > > Being new to ikev2 setup I may have this all wrong. > > Thanks! >
I tried to reproduce your bug (on current) but it seems to work as intended for me. It would certainly help to have a bit more info such as an iked log and a tcpdump of your failed handshake as well as the used openbsd version.
