On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote:
> I have two openbsd machines configured to connect their respective
> downstream networks over ipsec. When I try to generate traffic (ping)
> from server-west's enc0 interface (10.255.255.1) to server-east's enc0
> interface (10.254.255.1), traffic is sent out the corresponding
> SA but is never seen on server-east's enc0 interface. Only when I
> simultaneously generate traffic (ping, again) on server-east back to
> server-west do I see the echo replies from server-east on server-west.
>
> The flows look correct in the SA table on server-west and traffic leaves on
> enc0, hits vio0 on server-east as ESP traffic, but then is dropped. Again,
> only when I also start a ping on server-east (10.254.255.1) to server-west
> (10.255.255.1) does the original ping session see replies.
>
> Any help is appreciated. Here are the relevant configs and outputs.
I don't fully understand your setup but having both 10.255.255.0/24 to
10.254.255.0/24 and 10.254.255.0/24 to 10.255.255.0/24 configured on both
sides does not make sense to me.
Assuming 10.255.255.0/24 is reachable via server-west and 10.254.255.0/24 via
server-east the configs should probably be:
server-west:/etc/iked.conf
-------------------------
ikev2 'server-east.example.com' passive esp \
from 10.255.255.0/24 to 10.254.255.0/24 \
from 203.0.113.50/32 to 10.254.255.0/24 \
local 203.0.113.50 peer server-east.example.com \
srcid server-west.example.com \
dstid server-east.example.com \
psk "12345" \
tag "VPN.EAST"
server-east:/etc/iked.conf
-------------------------
ikev2 'server-west.example.com' active esp \
from 10.254.255.0/24 to 10.255.255.0/24 \
from 100.64.1.92/32 to 10.255.255.0/24 \
local 100.64.1.92 peer server-west.example.com \
srcid server-east.example.com \
dstid server-west.example.com \
psk "12345" \
tag "VPN.WEST"
