[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec / vpn configuration issues



On 04/05/06, Nathan Johnson <boingolover_(_at_)_gmail_(_dot_)_com> wrote:
>
> I have two OpenBSD nat / router machines and I am trying to
> successfully get a vpn going between the two.  OpenBSD box A is
> OpenBSD 3.9 , with internal network 192.168.0.0/24 and external
> address 1.2.3.4 (or something like that).  OpenBSD box B is OpenBSD
> 3.8, with internal network 192.168.51.0/24 and external address
> 4.3.2.1 .  So far I have followed the instructions in man vpn(8) , and
> have partially succeeded in configuring a vpn between the two using
> manual keys / ipsecctl / ipsec.conf method.  My ipsec.conf from
> gateway A is:
>
> flow esp from 192.168.0.0/24 to 192.168.51.0/24 peer 4.3.2.1
> esp from 1.2.3.4 to 4.3.2.1 spi 0x80081355:0x13558008 auth
> hmac-sha2-512 enc 3des-cbc authkey file
> "/etc/ipsec/auth_key.puffy:/etc/ipsec/auth_key.uptowns" enckey file
> "/etc/ipsec/enc_key.puffy:/etc/ipsec/enc_key.uptowns"
>
>
> and my ipsec.conf from gateway B is:
>
> flow esp from 192.168.51.0/24 to 192.168.0.0/24 peer 1.2.3.4
> esp from 4.3.2.1 to 1.2.3.4 spi 0x13558008:0x80081355 auth
> hmac-sha2-512 enc 3des-cbc authkey file
> "/etc/ipsec/auth_key.uptowns:/etc/ipsec/auth_key.puffy" enckey file
> "/etc/ipsec/enc_key.uptowns:/etc/ipsec/enc_key.puffy"
>
> my pf.conf on both boxes is configured in a manner similar to the
> described scenario in the vpn man page.
>
> when I issue the following from gateway A:
>
> ping -I 192.168.0.1 192.168.51.1
>
> pings are successful, and when I do a tcpdump on the esp interface it
> does indeed appear to be traversing the esp interface.
>
> The problem is when I try to ping any machine from network A to
> 192.168.51.0/24 (gateway B's internal network) besides the gateway
> itsself (192.168.51.1), ping doesn't work.  Same is true for pinging
> from network B to 192.168.0.0/24 , excepting gateway A itsself, and
> only then from the gateway B machine.  So basically, ipsec / vpn
> appears to be working, but for some reason traffic from other hosts
> behinds these gateways isn't being forwarded.  Where should I begin to
> look for the problems?  I have pf set to log anything blocked , and
> looking at pflog doesn't show any relevant traffic being blocked.  NAT
> is being used on both of these gateways, and all boxes inside each
> respective gateway are able to reach the internet without problems.
>
> Thanks in advance
> Nathan Johnson
>
>
Did you enable ip forwarding, Nate ?

/Tony

--
Tony Sarendal - tony_(_at_)_polarcap_(_dot_)_org
IP/Unix
       -= The scorpion replied,
               "I couldn't help it, it's my nature" =-



Visit your host, monkey.org