On OpenBSD 6.9 I tried to install an IPSec (IPv4, IKEv2, ESP, tunnel) network-to-network gateway to communicate with a Palo Alto gateway (which I do not control).
ikectl show sa leads me to believe that the SA has been set up.
When I try to ping a host behind the tunnel, I get ping: sendmsg: Message too long.
The enc0 device shows an mtu of 0.
Trying to set the mtu to a different value ifconfig enc0 mtu 1300 gives me ifconfig: SIOCSIFMTU: Inappropriate ioctl for device. So I take it that setting the mtu for enc is not supported.
If I cannot even ping through enc, how would I get any real payload through there?
enc0 has been set up with a separate IP address from a private range in hostname.enc0. This file also adds a route to the target private net with enc0 as gateway.
Additional questions:
- There is only one NIC in the machine. Is this a problem?
- Is routing the traffic for the target network through the enc-adapter the correct approach?
Guess I lack some understanding here, or a lot. Reading the excellent OpenBSD man pages doesn't help me here. Does anyone have an idea, what I am missing? If I should simply RTFM, please hint me at which manual that might be. I'd gladly have one at hand for this.
Question seems related to Can't ping remote host through nat on ipsec enc0 (mtu=0), which remained unanswered.
Thanks
