> ipsec.conf server in my place.org:
> ike passive esp from myplace.org to 0.0.0.0/0 peer 0.0.0.0/0
> Client (anywhere outside):
> ike esp from 0.0.0.0/0 to myplace.org peer 192.168.2.2
>
In the above to lines, the peer keyword/values are superflous since they are
identical to the destination specified by the 'to' keyword (if I correctly
understand what you are trying to do).
> How to declare 0.0.0.0/0 and/or any; into /etc/isakmpd/pubkeys? and where?
Have the client (your laptop) use a srcid of type UFQDN rather than a default
IPv4 address. On the gateway (myplace.org), put the client's public key in
/etc/isakmpd/pubkeys/ufqdn/$UFQDN
This config works for me. On the roaming client I specify a srcid of
paulx200.com in ipsec.conf. A copy of the public key is stored on the gateway
in /etc/isakmpd/pubkeys/ufqdn/p...@x200.com
ipsec.conf on roaming client:
ike dynamic esp tunnel from egress to $gateway srcid p...@x200.com
ipsec.conf on gateway:
ike passive esp tunnel from $gateway to any
pf.conf on roaming client:
pass in on $wifi_if proto esp from $gateway
pass out on $wifi_if proto esp to $gateway
pass out on $wifi_if inet proto udp from $wifi_if to $gateway port {
500, 4500 }
pass in on $wifi_if inet proto udp from $gateway to $wifi_if port {
500, 4500 }
pass in on enc0 from $gateway to $wifi_if keep state (if-bound)
pass out on enc0 from $wifi_if to $gateway keep state (if-bound)
pf.conf on gateway:
pass in on { $ext_if, enc0 } proto esp
pass out on { $ext_if, enc0 } proto esp
pass in on $ext_if inet proto { udp } from any to $ext_if port { 500,
4500 }
pass out on $ext_if inet proto { udp } from $ext_if to any port { 500,
4500 }
pass out on enc0 from $ext_if to any keep state (if-bound)
pass in on enc0 from any to $ext_if keep state (if-bound)
