Re: OpenBSD ipsec gateway behind a router

Mon, 14 Nov 2011 04:05:24 -0800 

Hi :)

I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 (central
office) and 4.9 (branch office).
With the following setup I can bring the tunnel up, but the networks can't
talk to each other:

Central ipsec.conf
-------------------------
ike passive esp tunnel from 10.20.0.0/16 to any \
                srcid matriz.domain.com.br \
                psk testefilial
------------

Branch ipsec.conf
-------------------------
matriz_net = "10.20.0.0/16"
matriz_gw = "178.9.35.10"
filial_net =  "10.10.11.0/24"

ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \
                srcid filial.domain.com.br \
                dstid matriz.domain.com.br \
                psk testefilial
-----------

# ipsecctl -sa
FLOWS:
flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
matriz.gruponp.com.br dstid filial.gruponp.com.br type use
flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid
matriz.gruponp.com.br dstid filial.gruponp.com.br type require

SAD:
esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256
enc aes
esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256
enc aes

-----------

# route -n show -encap
Routing tables

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
10.10.11/24        0     10.20/16           0     0
185.53.27.23/esp/use/in
10.20/16           0     10.10.11/24        0     0
185.53.27.23/esp/require/out


Fabio Almeida

Em 13/11/2011, `s 12:06, Mik J escreveu:

> Hello,
>
> I would like to know if such configuration is possible.
>
> LAN1
> (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet <-->
IPy
> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>
> As you can see the OpenBSD 4.9
> server sits on the LAN1 and has one physical interface.
> When it wants to
> access to the internet, its address 192.168.10.99 is natted in IPx and
that's
> how the IPSec_GW(Vendor) sees the source packets.
>
> It's not really important
> now if other machines on LAN1 should ping machines on LAN2. I would like
for
> now that the OpenBSD could ping machines on LAN2.
>
> I have search for examples
> on the internet for this particular case because the OpenBSD is behind a
nat
> router. And I haven't found the proper way to do this. I don't even know if
> it's possible. I know some kind of nat-t should be used though.
>
> Does anyone
> have this configuration in place ?
>
> Thanks

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Reply via email to