Hello Tobias, Thank you for reply.
On Thu, Aug 24, 2023 at 12:36:07AM +0200, Tobias Heider wrote: > On Wed, Aug 23, 2023 at 08:03:34AM +0200, Jiri Navratil wrote: > > Hello, > > > > Thank you for quick and helpful replies. > > > > Adding line > > > > set skip on enc0 > > > > to pf.conf enabled traffic between my sites. > > > > I see in https://www.openbsd.org/faq/faq17.html > > > > "Traffic between them should appear after decapsulation on the enc0 > > interface, and can be filtered as such." and next line works with VPN > > tag, but there are no lines "pass in ... tag VPN" in pf.conf before this > > part. Shall that be added to FAQ? I expect, that switch from "set skip on > > enc0" to "pass in ... tag VPN" will be better in my case. > > > > If someone with IPsec experiences will propose changes to FAQ17, then I > > also noted: > > > > In "road warrior" part, there is "We'll assume the public IP for the > > client is 203.0.113.2.", but the example uses "any". > > I think any is the better choice here. This would allow other clients > to connect to the same server (if they have a valid key) which is probably > what most people want. Right, understand, then the text above example for consistence shall switch from "We'll assume the public IP for the client is 203.0.113.2." to something "any IPv4 is allowed (if they have a valid key)" > > > > > I think, that word "daemon" is better then "server" here: > > > > The ikectl(8) utility is used to control the server, > > Agree > > > > > I want to extend my IKEv2 Site-to-site VPN with road warrior > > configuration. If the road warrior part will include few lines about, > > how to extend responder to handle both site-to-site and road warrior, it > > will be very helpful. > > Are you thinking of an example with multiple "ikev2 ..." blocks or a comment > mentioning that you can have multiple of those in the same config file? > Because that is technically all you need. I have some assumptions, so the comment about "you can combine Site-to-site and road warrior via combining ..." will be helpful. Also next comment for me, which still have to do the road warrior part, I would welcome approach / best practice / configuration / comment for two situations 1) I'm outside my two locations (IPsec connected) in road warrior position 2) I'm in one of my two locations with internal IPv4 Thank you, Jiří > > > > > Thank you OpenBSD for IPsec and thank you for your support to let me > > configure it. > > > > BR, > > Jiří > > > > -- > > Jiri Navratil, https://nocloud.cz
smime.p7s
Description: S/MIME cryptographic signature
