Hello, I'm having some problems routing traffic through a isakmp vpn tunnel.
I have a tunnel successfully set up between my OpenBSD 3.8 and a Cisco 7200 router. I'm not good at ascii art, but here's how I see it: $int_if = 10.0.0.1 $remote_host = 192.168.0.1 $int_if <----> enc0 <----> $ext_if |----> (internet) | |====================> $remote_gw <---> $remote_host | | $internal_host There are ACLs on the $remote_gw which only allow traffic NATed with my $int_if ip. Hence this nat in pf.conf: nat on enc0 inet from $int_net to $remote_host -> $int_if I've established that the flows exist: # netstat -rn -f encap $remote_host/32 0 $int_if/32 0 0 $remote_gw/50/use/in $int_if/32 0 $remote_host/32 0 0 $remote_gw/50/require/out # ipsecctl -s flow flow esp in from $remote_host to $int_if peer $remote_gw flow esp out from $int_if to $remote_host peer $remote_gw What I CAN do is ping the $remote_host through the tunnel from the $int_if with the following command: # ping -I $int_if $remote_host This works and replies are received! But if if try pinging from the $internal_host: c:\> ping $remote_host This doesn't work. The packets are not sent through the tunnel but to the internet. I've tried this route-to line in pf.conf: pass in log quick on $int_if route-to enc0 from $int_net to $remote_host keep state And by running tcpdump on pflog0 I can see that packets are matched: rule 16/(match) pass out on enc0: $int_if > $remote_host: icmp: echo request But no traffic is sent through the tunnel. Why are pings sent from the $internal_host not matched to the flow/route and sent through the corresponding tunnel? Any help is appreciated in resolving this issue! - Danial
