On 2018-01-29, Stuart Henderson <stu@spacehopper.org> wrote:
> On 2018-01-28, Daniel Ramos <daniel@ramos.id.au> wrote:
>> I'm trying to tunnel all internet traffic from my internal network
>> (192.168.2.0/24) through another internet-facing machine (10.1.1.0/24)
>> using IKEv2. After trying what seems to be every possibility of pf.conf
>> and iked.conf combinations, I just can't seem to get it right. My
>> closest attempt is to NAT all traffic from 192.168.2.0/24 to appear as
>> virtual IP 10.1.1.2 on the other side, which is then NAT'd out to the
>> internet as usual. The problem with this config is that ALL traffic,
>> including local traffic to 192.168.2.0/24, is tunneled. This is not
>> desired because I can no longer access my local gateway (192.168.2.1),
>> or any locally hosted services.
>
> What you need is a "bypass flow", I don't think it can be done from
> iked.conf but you can try this in ipsec.conf (adapt addresses as needed):
>
> flow from 192.168.46.48/28 to 192.168.46.48/28 type bypass
>
> ipsecctl -f /etc/ipsec.conf to load it at runtime, ipsec=YES in
> rc.conf.local to load at boot.
>
> Please follow-up to confirm whether it works for the archive, I've only
> done this combined with IKEv1 but I don't see a reason why it wouldn't work.
PS: might be worth dropping a comment in iked.conf as a reminder that
ipsec.conf is also involved in the config.
No comments:
Post a Comment