> I even tried using the pf.conf file listed in that
> file (while making changes to suit my configuration)... no dice.
>
First, I would double check the pf rules. One way is to have pf log packets
that get blocked and then run tcpdump on the pflog0 interface:
#tcpdump -e -i pflog0
When the -e flag is used on plog0, tcpdump will print the interface on which
the packet arrived and the reason for dropping it. If something shows up for
enc0, then the pf rules aren't right.
In addition to these rules (taken from tutorial you referenced):
# Passing in traffic from the designated subnets.
pass in quick on enc0 from $NETWORK_A to $NETWORK_B
pass out quick on enc0 from $NETWORK_B to $NETWORK_A
you might add this to each pf.conf on the gateways:
pass in on enc0 from $REMOTE_GATEWAY to $LOCAL_GATEWAY keep state
(if-bound)
Though this rule doesn't seem necessary, it has made my implementations work.
I'd be curious to know if it solves your problem.
( According to the enc(4) man page, rules on the enc0 interface should
explicity declare state as interface bound, e.g., 'keep state (if-bound)' ).
Also, for debugging, you might try to simplify you ipsec.conf and just set up
one tunnel to protect traffic between the two 192.168 networks. Basically,
reduce the ipsec.conf files to this:
obsd-ipsec-left:
ike passive esp from 192.168.120.0/24 to 192.168.33.0/24 peer 10.255.255.6
obsd-ipsec-right:
ike esp from 192.168.33.0/24 to 192.168.120.0/24 peer 10.255.255.5
