I started to draw a picture of your complex environment, before asking my next questions. But then I noted that you have a 4.6 box in this mix. 4.6 and 4.7 are using partially incompatible versions of IPSec. From the 4.7 Upgrade Guide:
Quote:
IPsec HMAC-SHA2 incompatibility:
Two bugs in IPsec/HMAC-SHA2 were fixed, resulting in an incompatibility with the HMAC-SHA-256/384/512 hash algorithms with previous versions of OpenBSD and other IPsec implementations sharing the bugs. In particular the default authentication algorithm HMAC-SHA-256 is affected. Upgrade both sides together, or switch to another authentication algorithm during the transition.
|
This could be part of your problem (if not all of it).
What you have shown here, if I understand what you've posted, is a 3-way VPN, attempting to tie three networks together.
Have you tried interconnecting
just the gateways as IPSec peers, without the RFC1918 subnets? Establishing SAs and Flows between just the OpenBSD routers? If not,
do that first. That will at least prove the peers can establish interconnects.
Start small, then make incremental additions until you've reached your desired configuration.
Your ipsec.conf files all show a 10.3/16 subnet, but it doesn't appear to exist. Did you miss a configuration file, or are you planning some sort of BiNAT?