hello people,
i'm trying to setup a vpn between us and our ASP. they've assigned us
"their own" private rfc11918 addresses, from which they want us to
connect from. basically our topology looks like depicted below:
our_internal <--> our_fw <--> internet <--> ASP_peer <--> ASP_internal
"our_internal" is 192.168.A.A/24
"our_fw" with 82.x.x.x on its external IF, running openbsd 3.7 release
the "ASP_peer" with 193.x.x.x on its external IF (some cisco vpn
concentrator - which i've no access to)
"ASP_internal" is B.B.B.B/8
they want us to connect from 172.C.C.C/30
the tunnel between our_fw and ASP_peer is established and confirmed by
our ASP. since our_fw would only route packets from 172.C.C.C/30 to
B.B.B.B/8 i did setup additional flows using ipsecadm:
ipsecadm flow -addr B.B.B.B/8 192.168.A.A/24 -dst ASP_peer -proto esp
-in -use
ipsecadm flow -addr 192.168.A.A/24 B.B.B.B/8 -dst ASP_peer -proto esp
-out -require
the flows are being showed correctly when doing "netstat -rf encap".
B/8 0 172.C.C.C/30 0 0 193.x.x.x/50/use/in
B/8 0 192.168.A/24 0 0 193.x.x.x/50/use/in
172.C.C.C/30 0 B/8 0 0
193.x.x.x/50/require/out
192.168.A/24 0 B/8 0 0
193.x.x.x/50/require/out
in pf.conf i've a line saying:
nat on enc0 inet from 192.168.A.A/24 to B.B.B.B/8 -> 172.C.C.C
ping from our_internal to a machine in ASP_internal and listeing with
"tcpdump -ni $int_if" shows icmp echo request coming in on the internal
IF. listening on enc0 shows nothing but silence. "tcpdump -ni $ext_if
esp" shows silence too. listeing on pflog0 shows packets entering our_fw
on the internal IF. it looks like the packets simply disappear after
entering our_fw.
at the moment our_fw does pass everything and keeps state.
also, occasionally i'm getting these from isakmpd:
transport_send_messages: giving up on message 0x3c069500, exchange
Peer-ASP_fw
transport_send_messages: either this message did not reach the other peer
transport_send_messages: or the responsemessage did not reach us back
(tell me news...)
i know doing nat on enc0 and generally screwing-up VPNs with NAT doesnt
seem to be a very good idea, but it looks like i havent got other
options at the moment. please let me know if any additional infos are
needed.
any help/hints/suggestions would be greatly appreciated.