Adding ipcomp to earlier mentioned policy blocks IPv6 packets on the receiving side. tcpdump shows that packet is received on enc0 interface but not forwarded to the endpoint.
Adding ipv4 traffic selector allows to send IPv4 packets over ipcomp but not IPv6. ipcomp is enabled on both sides. $ sysctl net.inet.ipcomp.enable net.inet.ipcomp.enable=1 пн, 20 июл. 2020 г. в 12:03, Антон Касимов <kasimov...@gmail.com>: > I am using OpenBSD 6.7 > iked does not respect mixing ports in the source and the destination of > traffic selectors. > > Such policy in iked.conf > ikev2 "epsilon" active \ > proto tcp \ > from aaaa:aaaa:aaaa::30 to bbbb:bbbb:bbbb:10::2 port 8000 \ > from aaaa:aaaa:aaaa::30 port postgresql to cccc:cccc:cccc::/48 \ > from aaaa:aaaa:aaaa::30 port postgresql to bbbb:bbbb:bbbb::/48 \ > peer d.d.d > > Produces wrong flows (specifying only destination port from first > selector): > > flow esp in proto tcp from cccc:cccc:cccc::/48 port 8000 to > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp in proto tcp from bbbb:bbbb:bbbb::/48 *port 8000* to > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp in proto tcp from bbbb:bbbb:bbbb::2 *port 8000* to > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from aaaa:aaaa:aaaa::30 to cccc:cccc:cccc::/48 port > 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > > -- > Антон Касимов / Anton Kasimov > -- Антон Касимов / Anton Kasimov
