Hello, I am currently setting up an Internet facing OpenBSD IPsec (IKEv2) gateway (with a public IP - no NAT). The box is running OpenBSD 6.4.
This is supposed to be a roadwarrior setup with multiple Windows 10 Clients. Authentication is done via client certificates (= Machine Certificates issued by my CA - used ikectl for this). I can connect fine using a single client, however using more than one client breaks the connection for clientA while clientB is able to connect. I've been testing this with two clients behind the SAME DSL modem, so to the server they both appear to be comeing from the same IP. (SInce i am using NAT-T the server sees different ports on the remote side and thus correctly installs the flows with different SPIs) ==> I also used the registry setting to force usage of NAT-T since this seems to be a common bummer (see https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows) The virtual address range used by the clients is 10.75.0.0/16 I try to hand out static virtual IPs to the clients: clientA = 10.75.2.25 clientB = 10.75.2.26 In my understanding "dstid" should help me selecting the right policy, but iked always uses the first policy, although the CN of the presented client certificate doesn't match. So to me it _seems_ the policy is selected by the "local" and "remote" peer settings and the "dstid" has no part in this? This is my config (substituted my public IP with "1.2.3.4") #################################### set mobike ikev2 'clientA' quick passive ipcomp esp from 172.22.1.0/24 to 10.75.0.0/16 from 10.21.0.0/16 to 10.75.0.0/16 from 192.168.0.0/16 to 10.75.0.0/16 peer 0.0.0.0/0 local 1.2.3.4 ikesa enc aes-256 group modp2048 childsa enc aes-256-gcm group modp2048 srcid 1.2.3.4 dstid "client1.example.com" ikelifetime 480m lifetime 60m config address 10.75.2.25 config netmask 255.255.255.252 config name-server 10.21.0.1 config name-server 10.21.0.2 config name-server 10.21.0.4 config protected-subnet 0.0.0.0/0 tag "$name-$id" ikev2 'clientB' quick passive ipcomp esp from 172.22.1.0/24 to 10.75.0.0/16 from 10.21.0.0/16 to 10.75.0.0/16 from 192.168.0.0/16 to 10.75.0.0/16 peer 0.0.0.0/0 local 1.2.3.4 ikesa enc aes-256 group modp2048 childsa enc aes-256-gcm group modp2048 srcid 1.2.3.4 dstid "client2.example.com" ikelifetime 480m lifetime 60m config address 10.75.2.26 config netmask 255.255.255.252 config name-server 10.21.0.1 config name-server 10.21.0.2 config name-server 10.21.0.4 config protected-subnet 0.0.0.0/0 tag "$name-$id" #################################### Best regards, Alex
