Roadwarrior setup with ipsectl on OpenBSD 4.0

Mon, 25 Dec 2006 09:52:34 -0800 

Hi,

I have following situation.
I want to connect my local subnet at home with a private subnet at my remote server. 
To achieve this I'm using public keys in combination with UFQDN.
That part works wonderful so far and the SA gets established.
It's not possible to send any packets between the subnets though and I'm afraid I messed up my ipsec.conf. 
Both systems are running OpenBSD 4.0.
The home router is on dsl dialup with a dynamic IP-address, that's why I'm using the 
"egress" interface group. The remote Server has a public static ip.
On both system the packetfilter is set to the following:

set skip on { lo enc0 }

pass in log on $public proto { ah, esp } from any to any \
       keep state
pass in log on $public proto udp from any to any \
       port 500 keep state

I hope someone can point out my errors.

my local subnet is: 192.168.32.0/24
the remote subnet: 10.55.0.0/24

------------------------------------------------------------------------------
/etc/ipsec.conf
# ipsec client
vpnserver="100.100.100.100"

ike dynamic esp from 192.168.32.0/24 to 10.55.0.0/24 peer $vpnserver \
       srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]

ike dynamic esp from egress to 10.55.0.0/24 peer $vpnserver \
       srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]

ike dynamic esp from egress to $vpnserver \
       srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]
-------------------------------------------------------------------------------
/etc/ipsec.conf
#ipsec server

vpnserver="100.100.100.100"
vpnclient="sample.dyndns.org"
ike passive esp from 10.55.0.0/24 to 192.168.32.0/24 peer $vpnclient local $vpnserver \ 
       srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]
ike passive esp from $vpnserver to 192.168.32.0/24 peer $vpnclient local $vpnserver \ 
        srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]

ike passive esp from $vpnserver to beercrash.kicks-ass.org \
        srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]
---------------------------------------------------------------------------------

best regards
Sebastian

p.s please cc me as I'm not subscribed to the list with this email address.

Reply via email to