I don't like responding to my own thread but I really need help with this one, so I'll try to rephrase the question:
The remote tunnel endpoint expects traffic originating from a specific ip address - the internal ip of the firewall. How can I achieve this? / Danial On Tue, Dec 9, 2008 at 1:11 PM, do <d...@meyl.fo> wrote: > Hello, > > I'm having some problems routing traffic through a isakmp > vpn tunnel. > > I have a tunnel successfully set up between my OpenBSD 3.8 > and a Cisco 7200 router. > I'm not good at ascii art, but here's how I see it: > > $int_if = 10.0.0.1 > $remote_host = 192.168.0.1 > > > $int_if <----> enc0 <----> $ext_if |----> (internet) > | |============> $remote_gw <--> $remote_host > | > | > $internal_host > > > > There are ACLs on the $remote_gw which only allow traffic > NATed with my $int_if ip. Hence this nat in pf.conf: > nat on enc0 inet from $int_net to $remote_host -> $int_if > > > I've established that the flows exist: > # netstat -rn -f encap > $remote_host/32 0 $int_if/32 0 0 > $remote_gw/50/use/in > $int_if/32 0 $remote_host/32 0 0 > $remote_gw/50/require/out > > # ipsecctl -s flow > flow esp in from $remote_host to $int_if peer $remote_gw > flow esp out from $int_if to $remote_host peer $remote_gw > > > What I CAN do is ping the $remote_host through the tunnel > from the $int_if with the following command: > # ping -I $int_if $remote_host > > This works and replies are received! > > > But if if try pinging from the $internal_host: > c:\> ping $remote_host > > This doesn't work. The packets are not sent through the > tunnel but to the internet. > > > I've tried this route-to line in pf.conf: > pass in log quick on $int_if route-to enc0 from $int_net to > $remote_host keep state > > And by running tcpdump on pflog0 I can see that packets are > matched: > rule 16/(match) pass out on enc0: $int_if > $remote_host: > icmp: echo request > > But no traffic is sent through the tunnel. > > > Why are pings sent from the $internal_host not matched to > the flow/route and sent through the corresponding tunnel? > > Any help is appreciated in resolving this issue! > > > - Danial
