Hello, Thank you for quick and helpful replies.
Adding line set skip on enc0 to pf.conf enabled traffic between my sites. I see in https://www.openbsd.org/faq/faq17.html "Traffic between them should appear after decapsulation on the enc0 interface, and can be filtered as such." and next line works with VPN tag, but there are no lines "pass in ... tag VPN" in pf.conf before this part. Shall that be added to FAQ? I expect, that switch from "set skip on enc0" to "pass in ... tag VPN" will be better in my case. If someone with IPsec experiences will propose changes to FAQ17, then I also noted: In "road warrior" part, there is "We'll assume the public IP for the client is 203.0.113.2.", but the example uses "any". I think, that word "daemon" is better then "server" here: The ikectl(8) utility is used to control the server, I want to extend my IKEv2 Site-to-site VPN with road warrior configuration. If the road warrior part will include few lines about, how to extend responder to handle both site-to-site and road warrior, it will be very helpful. Thank you OpenBSD for IPsec and thank you for your support to let me configure it. BR, Jiří -- Jiri Navratil, https://nocloud.cz
