On 2019-11-14, Pulz, Joerg <[email protected]> wrote: > > IKEv2 tunnel using OpenIKED between the external IPv6 addresses of both sites. > IPv4 networks of Site-A should be able to communicate with the IPv4 > network of Site-B and the other way round through the IKEv2 tunnel. > > > The actual state: > > The IKEv2 tunnel is established and all flows and SAs are showing up > correctly in 'ipsecctl -s all'. > If I run a ping on a host in Site-A to another host in Site-B I can > see the packets arrive on the internal interface of the > OpenIKED/OpenBSD machine. The pinging host in Site-A immediately > receives a "Destination Host Unreachable" from the OpenIKED/OpenBSD > machine.
OpenBSD uses the classic IPsec style of "flows" which are apart from the routing table. You need a route table entry covering the packet destination (even if the gateway is set to a dummy address), otherwise that packet doesn't make it far enough up the stack for the IPsec flow to "hijack" it. Even something like "route add -inet default 127.0.0.1" maybe enough.
