On Fri, May 28, 2021 at 11:56:54AM +0000, Leclerc, Sebastien wrote: > >It looks like 'keep state (if-bound)' iked.conf(5) is not present or being > >respected on the return traffic to the VPN device/firewall from your > >internal network. ICMP traffic is coming into the VPN device >encrypted, > >being decrypted and passed to the destination. The destination responds > >back but the VPN device is not taking those responses and pushing them back > >through enc0. > > Thank you for your response Jason. > Here is the relevant pf.conf configuration, keep state (if-bound) is there, > so I don't think it's the cause of the problem : > > pass inet proto udp from 192.168.1.109 to bge0 port 500 > pass inet proto esp from 192.168.1.109 to bge0 > pass on bge0 proto ipencap keep state (if-bound) > pass inet from 192.168.9.208 to vlan0:network >
I'm not sure about that bge0 rule. iked.conf(5) mentions ipencap only in the context of enc interfaces. You could try adding 'set skip on enc0' to find out if pf is the problem. If that doesn't help you could share the output of 'ipsecctl -sa' to find out if the IPsec SAs or flows are the problem.
