Sorry, I didn't reply to the mailing list. What's the public IP address? I'm behind a NAT, and if I specify a truly public address in local, I get an error:
spi=0x1bd0e7050de6b0f4: send IKE_SA_INIT req 0 peer XXXX:500 local YYYY:500, 518 bytes ikev2_msg_send: sendtofrom: Can't assign requested address But if I use the address that I have on the trunk0 interface (it combines iwx0 and em0, as described in the FAQ), and which has a defaultroute, then I see the same errors. send IKE_AUTH req 1 peer XXXX:4500 local 10.222.222.222:4500, 631 bytes, NAT-T recv IKE_AUTH res 1 peer XXXX:4500 local 10.222.222.222:4500, 759 bytes, policy 'rw' ikev2_ike_auth_recv: obtained lease: 172.24.24.171 ikev2_ike_auth_recv: obtained DNS: 172.24.24.1 writev failed: type 3 len 288: Invalid argument I also tried using sec0 instead of lo1. I have OpenBSD 7.8 stable and OpenIKED 7.4. On 10/04/2026, Tobias Heider wrote: > On Fri, Apr 10, 2026 at 12:35:25AM +0300, Alex Mihajlov wrote: > > On 09/04/2026, Tobias Heider wrote: > > > > > > Yes, different IDs is what I would try. > > > > Yes, thank you very much, almost everything worked out, > > just one question remains. I can authenticate, > > the server gives me an IP address, > > and on the client, I use a configuration similar > > to the one described in the FAQ: > > > > ikev2 'rw' active esp \ > > from dynamic to any \ > > peer myserver \ > > srcid myclient \ > > dstid myserver \ > > request address any \ > > iface lo1 > > > > I have created an interface lo1: > > $ ifconfig lo1 > > lo1: flags=2008009<UP,LOOPBACK,MULTICAST,LRO> mtu 32768 > > index 8 priority 0 llprio 3 > > groups: lo > > > > In the log I see the following: > > end IKE_AUTH req 1 peer X.X.X.X:4500 local Z.Z.Z.Z:4500, 631 bytes, NAT-T > > ecv IKE_AUTH res 1 peer X.X.X.X:4500 local Z.Z.Z.Z:4500, 759 bytes, policy > > 'rw' > > ikev2_ike_auth_recv: obtained lease: 172.24.24.221 > > ikev2_ike_auth_recv: obtained DNS: 172.24.24.1 > > pfkey_write: writev failed: type 3 len 288: Invalid argument > > > > The address does not appear on the lo1 interface, and after some time the > > following appears in the log: > > sa_free: SA_INIT timeout > > req: 2149607705: Can't assign requested address > > parent 1 got invalid imsg 33 peerid -1 from ikev2 1 > > ikev2 exiting, pid 79505 > > > > What am I doing wrong? > > > > Just a wild guess but I feel like I have seen this before, try adding > a "local" option with your public IP address. -- С уважением, Михайлов Александр.
