I'm having a strange issue with ipsec configuration I do not understand.
I have a single internal network interface (10.10.10.1) and network
(10.10.10.0/24).
I boot the following configuration:
isakmpd_flags="-K"
ipsec=YES
ike passive from any to 10.10.10.0/24 peer any \
aggressive auth hmac-sha1 enc aes-256 group modp3072 \
quick auth hmac-sha1 enc aes-256 group modp3072 \
srcid vpn.mydomain.net dstid clients.mydomain.net \
psk mypass
ike passive from 10.10.10.0/24 to any \
aggressive auth hmac-sha1 enc aes-256 group modp3072 \
quick auth hmac-sha1 enc aes-256 group modp3072 \
srcid vpn.mydomain.net dstid clients.mydomain.net \
psk mypass
I connect to the VPN and I can ping the internal interface (10.10.10.1) on
the firewall, but I cannot talk to the network behind the firewall (ping
host 10.10.10.10).
I change my VPN network to (10.10.1.0/24) by editing ipsec.conf and changing
the two lines accordingly:
ike passive from any to 10.10.1.0/24 peer any
ike passive from 10.10.1.0/24 to any
Then I issue:
ipsecctl -f /etc/ipsec.conf
I connect to the VPN and all hosts on the network are "pingable". GREAT
right?.. until I reboot the machine with this configuration. Then I can't
talk to anything once connected to the VPN.
If I change my VPN network in ipsec.conf back to match the internal network
(10.10.10.0/24), boot, connect to the VPN, ping, change ipsec.conf again to
make the VPN network (10.10.1.0/24), everything works fine.
what the hell is going on?
NOTE: On the VPN client side I am using manual configuration and simply
changing the IP address between 10.10.10.66 and 10.10.1.66 to correspond
with the ipsec.conf changes.
