[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec / vpn configuration issues

On 04/05/06, Nathan Johnson <boingolover_(_at_)_gmail_(_dot_)_com> wrote:
> I have two OpenBSD nat / router machines and I am trying to
> successfully get a vpn going between the two.  OpenBSD box A is
> OpenBSD 3.9 , with internal network and external
> address (or something like that).  OpenBSD box B is OpenBSD
> 3.8, with internal network and external address
> .  So far I have followed the instructions in man vpn(8) , and
> have partially succeeded in configuring a vpn between the two using
> manual keys / ipsecctl / ipsec.conf method.  My ipsec.conf from
> gateway A is:
> flow esp from to peer
> esp from to spi 0x80081355:0x13558008 auth
> hmac-sha2-512 enc 3des-cbc authkey file
> "/etc/ipsec/auth_key.puffy:/etc/ipsec/auth_key.uptowns" enckey file
> "/etc/ipsec/enc_key.puffy:/etc/ipsec/enc_key.uptowns"
> and my ipsec.conf from gateway B is:
> flow esp from to peer
> esp from to spi 0x13558008:0x80081355 auth
> hmac-sha2-512 enc 3des-cbc authkey file
> "/etc/ipsec/auth_key.uptowns:/etc/ipsec/auth_key.puffy" enckey file
> "/etc/ipsec/enc_key.uptowns:/etc/ipsec/enc_key.puffy"
> my pf.conf on both boxes is configured in a manner similar to the
> described scenario in the vpn man page.
> when I issue the following from gateway A:
> ping -I
> pings are successful, and when I do a tcpdump on the esp interface it
> does indeed appear to be traversing the esp interface.
> The problem is when I try to ping any machine from network A to
> (gateway B's internal network) besides the gateway
> itsself (, ping doesn't work.  Same is true for pinging
> from network B to , excepting gateway A itsself, and
> only then from the gateway B machine.  So basically, ipsec / vpn
> appears to be working, but for some reason traffic from other hosts
> behinds these gateways isn't being forwarded.  Where should I begin to
> look for the problems?  I have pf set to log anything blocked , and
> looking at pflog doesn't show any relevant traffic being blocked.  NAT
> is being used on both of these gateways, and all boxes inside each
> respective gateway are able to reach the internet without problems.
> Thanks in advance
> Nathan Johnson
Did you enable ip forwarding, Nate ?


Tony Sarendal - tony_(_at_)_polarcap_(_dot_)_org
       -= The scorpion replied,
               "I couldn't help it, it's my nature" =-

Visit your host, monkey.org