Am 21.03.2022 19:04 schrieb rea...@catastrophe.net:
The flows look correct in the SA table on server-west and traffic
leaves on
enc0, hits vio0 on server-east as ESP traffic, but then is dropped.
Again,
only when I also start a ping on server-east (10.254.255.1) to
server-west
(10.255.255.1) does the original ping session see replies.
Out of balance / asymmetric rule set not generating needed state.
server-west PF rule:
-------------------------
@73 pass log quick on enc0 all flags S/SA tagged VPN.EAST
server-east PF rule:
-------------------------
@58 pass log quick on enc0 all flags S/SA tagged VPN.WEST
enc(4) is an observer interface and not meant to take pf rules besides
"set skip on enc0" :-)
Check back your actual interfaces (vio0..) for ESP traffic allowance.
The '@73' and '@58' already indicates a major difference so check for
'pass ... proto esp'.
HTH,
--
pb
