On Mon, Dec 15, 2008 at 12:06:12AM +0000, Danial wrote: > I don't like responding to my own thread but I really need > help with this one, so I'll try to rephrase the question: > > The remote tunnel endpoint expects traffic originating from > a specific ip address - the internal ip of the firewall. > > How can I achieve this? >
I think your setup is worng. See inline. > > On Tue, Dec 9, 2008 at 1:11 PM, do <[email protected]> wrote: > > Hello, > > > > I'm having some problems routing traffic through a isakmp > > vpn tunnel. > > > > I have a tunnel successfully set up between my OpenBSD 3.8 > > and a Cisco 7200 router. > > I'm not good at ascii art, but here's how I see it: > > > > $int_if = 10.0.0.1 > > $remote_host = 192.168.0.1 > > > > > > $int_if <----> enc0 <----> $ext_if |----> (internet) > > | |============> $remote_gw <--> > $remote_host > > | > > | > > $internal_host > > > > > > > > There are ACLs on the $remote_gw which only allow traffic > > NATed with my $int_if ip. Hence this nat in pf.conf: > > nat on enc0 inet from $int_net to $remote_host -> $int_if > > This nat rule is kicking in to late. Your flow setup will only match traffic from $int_if to $remote_host. Now even if your default route is pointing to the $remote_host the traffic from your internal lan will not match the flow and not end up on enc0. I see two possible fixes: a) nat on the internal interface so that incomming traffic is already showing up as comming from $inf_if b) add more flows, mainly flow esp out from $int_net to $remote_host peer $remote_gw > > > > I've established that the flows exist: > > # netstat -rn -f encap > > $remote_host/32 0 $int_if/32 0 0 > > $remote_gw/50/use/in > > $int_if/32 0 $remote_host/32 0 0 > > $remote_gw/50/require/out > > > > # ipsecctl -s flow > > flow esp in from $remote_host to $int_if peer $remote_gw > > flow esp out from $int_if to $remote_host peer $remote_gw > > > > > > What I CAN do is ping the $remote_host through the tunnel > > from the $int_if with the following command: > > # ping -I $int_if $remote_host > > > > This works and replies are received! > > > > > > But if if try pinging from the $internal_host: > > c:\> ping $remote_host > > > > This doesn't work. The packets are not sent through the > > tunnel but to the internet. > > > > > > I've tried this route-to line in pf.conf: > > pass in log quick on $int_if route-to enc0 from $int_net > to > > $remote_host keep state > > > > And by running tcpdump on pflog0 I can see that packets > are > > matched: > > rule 16/(match) pass out on enc0: $int_if > $remote_host: > > icmp: echo request > > > > But no traffic is sent through the tunnel. > > > > > > Why are pings sent from the $internal_host not matched to > > the flow/route and sent through the corresponding tunnel? > > > > Any help is appreciated in resolving this issue! > > > > > > - Danial > -- :wq Claudio
