Hello, I'm trying to build Site-to-site VPN based on "Configuring an IKEv2 Server" in https://www.openbsd.org/faq/faq17.html
I see in iked -dv output to terminal (I replaced some parts with dots) spi=0x4905............: established peer ...............:4500[FQDN/.................] local .............:4500[FQDN/.................] policy '....._rsa' as responder (enc aes-128-gcm group curve25519 prf hmac- sha2-256 and spi=0x16f.............: established peer ..............:4500[FQDN/.................] local ...............:4500[FQDN/.................] policy '....._rsa' as initiator (enc aes-128-gcm group curve25519 prf hmac-sha2-256) I can't ping from one location to other one. I see from ipsecctl -sa on responder side FLOWS and SAD expected lines, but there is nothing from nc -u -l 500 tcpdump -nei pflog0 rnr 35 Could you please help me with some answers? 1) The FAQ have pf rules for responder only. No rules are needed for initiator? 2) The FAQ describe ipsec.conf changes and enabling only in "Connecting to an IKEv1/L2TP VPN". Nothing is needed in "IKEv2 Site-to-site VPNs"? 3) The sites I'm configuring are both using PPPoE. One have VLAN and I see external statical IPv4 on PPPoE, but other site uses NAT 1:1, so I see private IPv4 on PPPoE, but I have to access it over allocated external IPv4. I'm not sure, which IP comes where. I switched responder and initiator, to have responder on site with VLAN, but anyway I'm not sure, where in pf.conf and /etc/iked.conf use external and where NAT IP. 4) Using enc0 in pf.conf not worked. I had to switch to pppoe. Is that correct? No rules for enc0 and vlan? 4) I don't see any output from nc and tcdump commands. How I can see, which pf rule stops ping from other site? 5) There is note in FAQ, that Native WireGuard support is also available. As both IPsec and WireGuard are new to me, may wg(4) be an option? 6) Any good IPsec reading next to FAQ and man pages? Thank you, Jiří
