On Mon, Dec 15, 2008 at 8:46 AM, Claudio Jeker <[email protected]> wrote: > On Mon, Dec 15, 2008 at 12:06:12AM +0000, Danial wrote: >> I don't like responding to my own thread but I really need >> help with this one, so I'll try to rephrase the question: >> >> The remote tunnel endpoint expects traffic originating from >> a specific ip address - the internal ip of the firewall. >> >> How can I achieve this? >> > > I think your setup is worng. See inline. > >> >> On Tue, Dec 9, 2008 at 1:11 PM, do <[email protected]> wrote: >> > Hello, >> > >> > I'm having some problems routing traffic through a isakmp >> > vpn tunnel. >> > >> > I have a tunnel successfully set up between my OpenBSD 3.8 >> > and a Cisco 7200 router. >> > I'm not good at ascii art, but here's how I see it: >> > >> > $int_if = 10.0.0.1 >> > $remote_host = 192.168.0.1 >> > >> > >> > $int_if <----> enc0 <----> $ext_if |----> (internet) >> > | |=========>$remote_gw<-->$remote_host >> > | >> > | >> > $internal_host >> > >> > >> > >> > There are ACLs on the $remote_gw which only allow traffic >> > NATed with my $int_if ip. Hence this nat in pf.conf: >> > nat on enc0 inet from $int_net to $remote_host -> $int_if >> > > > This nat rule is kicking in to late. Your flow setup will only match > traffic from $int_if to $remote_host. Now even if your default route is > pointing to the $remote_host the traffic from your internal lan will not > match the flow and not end up on enc0. > > I see two possible fixes: > a) nat on the internal interface so that incomming traffic is already > showing up as comming from $inf_if
Is it possible to nat incoming traffic? I've tried this but can't seem to get it to work. I can only seem to nat outgoing traffic. > b) add more flows, mainly > flow esp out from $int_net to $remote_host peer $remote_gw Also tried this. The problem is that the flows are negotiated with the remote host and it rejects them. Does the remote host really have to know? > >> > >> > I've established that the flows exist: >> > # netstat -rn -f encap >> > $remote_host/32 0 $int_if/32 0 0 >> > $remote_gw/50/use/in >> > $int_if/32 0 $remote_host/32 0 0 >> > $remote_gw/50/require/out >> > >> > # ipsecctl -s flow >> > flow esp in from $remote_host to $int_if peer $remote_gw >> > flow esp out from $int_if to $remote_host peer $remote_gw >> > >> > >> > What I CAN do is ping the $remote_host through the tunnel >> > from the $int_if with the following command: >> > # ping -I $int_if $remote_host >> > >> > This works and replies are received! >> > >> > >> > But if if try pinging from the $internal_host: >> > c:\> ping $remote_host >> > >> > This doesn't work. The packets are not sent through the >> > tunnel but to the internet. >> > >> > >> > I've tried this route-to line in pf.conf: >> > pass in log quick on $int_if route-to enc0 from $int_net >> to >> > $remote_host keep state >> > >> > And by running tcpdump on pflog0 I can see that packets >> are >> > matched: >> > rule 16/(match) pass out on enc0: $int_if > $remote_host: >> > icmp: echo request >> > >> > But no traffic is sent through the tunnel. >> > >> > >> > Why are pings sent from the $internal_host not matched to >> > the flow/route and sent through the corresponding tunnel? >> > >> > Any help is appreciated in resolving this issue! >> > >> > >> > - Danial >> > > -- > :wq Claudio > > Regards, Danial
