[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec problems

OK, I am trying to do a simple enough IPsec setup: I want to join two private-address networks over the Internet. Both networks are protected by a NAT firewall. My side is an OpenBSD box; the other side is a Cisco PIX (or something, not clear on the details).

After much reading we were able to get everything configured correctly, or so we thought. My problem is a very simple one: the packets destined for the foreign LAN are getting sent out into the Internet at large and eventually discarded, instead of being sent along the IPsec tunnel. Obviously I need to set up some sort of route, but nothing says what or how (or, for that matter, why isakmpd doesn't do it for me - all the docs seem to suggest that it should).

I guess I ought to describe exactly what I've done. Obviously I've forgotten some step, and I'm sure it's simple.

1. Create isakmpd policy and conf file from templates, modified for my numbers.
2. Add firewall rules allowing the needed traffic (udp port 500, protocol esp, enc0 interface).
3. Run isakmpd.

Pings are definitely arriving at the machine. I confirmed this with tcpdump. Pings are definitely not leaving via IPsec. Confirmed this one with tcpdump too.

Any help would be greatly appreciated.  Thanks!