On 6/17/05, Stephen Marley <[EMAIL PROTECTED]> wrote: > On Fri, Jun 17, 2005 at 11:29:03AM -0500, dontek wrote: > > I have just configured a VPN tunnel between two OpenBSD firewalls / > > gateways following the VPN man page nearly word-for-word. All is > > working well... mostly: > > > > On either end, on machines behind the firewall, I can connect to any > > service on any machine on the remote end. > > > > However, if I am on the the firewall machines themselves, I can ping > > machines on the remote end, but service connection fails. > > > > for instance, I can ssh to a box on the remote end from a machine > > behind the firewall, but if i attempt to ssh to the same remote box > > from the firewall itself, i get a "connection refused". This is true > > on both ends. > > > > Are there additional rules I need to put into pf for this type of > > connectivity? What am I missing? > > I'll guess that the ping works because you're using ping -I to specify > the source address as an internal lan address. However your ssh will > have the firewall's external address as its source address and it will > not get encapsulated since there are no flows defined for gateway to > network, only network to network.
Actually, I am just doing a vanilla ping, no source address option. When you say "flows", do you mean pf flows (rules)? > > You could define additional SAs for the gateway to network connections, I tried adding pass rules from gateway(s) to network(s) and back, similar to the network to network passes on enc0, but this did not solve the problem. > but I think just adding a route pointing to your inside interface will > work. For example, if your gateway's internal address is 192.168.1.1 and > the remote network is 10.10.10.0/24, on the gateway run: > route add 10.10.10/24 192.168.1.1 Adding the static routes indeed worked, however, I would still like to understand this better and get it working via pf and not have to add the routes. > > -- > stephen