Re : Re : vpn isakmpd ipsec, one side with only one interface
Wesley, You might have misunderstood me. The ssh is going inside the ipsec vpn tunnel which is between Openbsd and RemoteFW Openbsd rl0 - IPSec - RemoteFW - LAN 2 - SomeDevice With this topology as a reminder Openbsd rl0 - LAN1 - Router - Internet - RemoteFW - LAN 2 - SomeDevice De : Wesley M. open...@e-solutions.re @ : Mik J mikyde...@yahoo.fr Cc : misc@openbsd.org Envoyi le : Vendredi 17 fivrier 2012 5h45 Objet : Re: Re : vpn isakmpd ipsec, one side with only one interface I know ssh works also very well. But the company has requierements : ipsec vpn with specific phase 1 and 2... Wesley. On Thu, 16 Feb 2012 19:18:09 + (GMT), Mik J mikyde...@yahoo.fr wrote: Hello, I have this configuration working without any bridge. Openbsd rl0 - LAN1 - Router - Internet - RemoteFW - LAN 2 - SomeDevice My PC is connected to a LAN1 switch, and it's able to ssh SomeDevice. As you can see my OpenBSD has just one interface and the VPN is mounted between OpenBSD and RemoteFW. - Mail original - De : Wesley M. open...@e-solutions.re @ : Markus Wernig liste...@wernig.net Cc : misc@openbsd.org Envoyi le : Jeudi 16 fivrier 2012 15h59 Objet : Re: vpn isakmpd ipsec, one side with only one interface I have it working ;-) What i have done : Create a vether0 with : inet 172.17.2.21 255.255.255.0 Create a bridge0, add to it vether0 and the physical card... PF : filter the bridge Create the vpn, i can reach the ftp :-) Pretty cool Thank's to vether !! Cheers, Wesley MOUEDINE ASSABY On Thu, 16 Feb 2012 14:03:54 +0100, Markus Wernig liste...@wernig.net wrote: Hi I'm not sure if this will work, but you could try creating a loopback interface (lo2) on FWC with the IP address that the FTP server should be reachable on and then set up a regular VPN between FWA and FWC just for that one IP address: ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... Then tell the FTP server to listen on the IP of the lo2 interface (172.17.2.21?) /m On 02/13/12 14:43, Wesley M. wrote: o;?Hi, I was using ipsec vpn between 2 OpenBSD Gateway. It worked very well. Here : ---rl0---[fwA]---rl1(internet)-sis1---[fwB with ftpd]---sis0--- Now we remove ftp services from fwB and put it on an other machine fwC with an internet connection (only one network card). is it possible to keep a vpn online from fwA and fwC, and so computersA can reach again ftp using vpn (provided by fwC). Perhaps i need to use vether on fwC so briged pf ? Here the old ipsec.conf from fwB: ike esp from 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA main auth hmac-sha1 enc aes-256 group modp1024 quick auth hmac-sha1 enc aes-256 group modp1024 psk demopassword My idea on fwC : add verther0 with : inet 172.17.2.21 255.255.255.0
Re: vpn isakmpd ipsec, one side with only one interface
Hi I'm not sure if this will work, but you could try creating a loopback interface (lo2) on FWC with the IP address that the FTP server should be reachable on and then set up a regular VPN between FWA and FWC just for that one IP address: ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... Then tell the FTP server to listen on the IP of the lo2 interface (172.17.2.21?) /m On 02/13/12 14:43, Wesley M. wrote: o;?Hi, I was using ipsec vpn between 2 OpenBSD Gateway. It worked very well. Here : ---rl0---[fwA]---rl1(internet)-sis1---[fwB with ftpd]---sis0--- Now we remove ftp services from fwB and put it on an other machine fwC with an internet connection (only one network card). is it possible to keep a vpn online from fwA and fwC, and so computersA can reach again ftp using vpn (provided by fwC). Perhaps i need to use vether on fwC so briged pf ? Here the old ipsec.conf from fwB: ike esp from 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA main auth hmac-sha1 enc aes-256 group modp1024 quick auth hmac-sha1 enc aes-256 group modp1024 psk demopassword My idea on fwC : add verther0 with : inet 172.17.2.21 255.255.255.0
Re: vpn isakmpd ipsec, one side with only one interface
I have it working ;-) What i have done : Create a vether0 with : inet 172.17.2.21 255.255.255.0 Create a bridge0, add to it vether0 and the physical card... PF : filter the bridge Create the vpn, i can reach the ftp :-) Pretty cool Thank's to vether !! Cheers, Wesley MOUEDINE ASSABY On Thu, 16 Feb 2012 14:03:54 +0100, Markus Wernig liste...@wernig.net wrote: Hi I'm not sure if this will work, but you could try creating a loopback interface (lo2) on FWC with the IP address that the FTP server should be reachable on and then set up a regular VPN between FWA and FWC just for that one IP address: ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... Then tell the FTP server to listen on the IP of the lo2 interface (172.17.2.21?) /m On 02/13/12 14:43, Wesley M. wrote: o;?Hi, I was using ipsec vpn between 2 OpenBSD Gateway. It worked very well. Here : ---rl0---[fwA]---rl1(internet)-sis1---[fwB with ftpd]---sis0--- Now we remove ftp services from fwB and put it on an other machine fwC with an internet connection (only one network card). is it possible to keep a vpn online from fwA and fwC, and so computersA can reach again ftp using vpn (provided by fwC). Perhaps i need to use vether on fwC so briged pf ? Here the old ipsec.conf from fwB: ike esp from 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA main auth hmac-sha1 enc aes-256 group modp1024 quick auth hmac-sha1 enc aes-256 group modp1024 psk demopassword My idea on fwC : add verther0 with : inet 172.17.2.21 255.255.255.0
Re : vpn isakmpd ipsec, one side with only one interface
Hello, I have this configuration working without any bridge. Openbsd rl0 - LAN1 - Router - Internet - RemoteFW - LAN 2 - SomeDevice My PC is connected to a LAN1 switch, and it's able to ssh SomeDevice. As you can see my OpenBSD has just one interface and the VPN is mounted between OpenBSD and RemoteFW. - Mail original - De : Wesley M. open...@e-solutions.re @ : Markus Wernig liste...@wernig.net Cc : misc@openbsd.org Envoyi le : Jeudi 16 fivrier 2012 15h59 Objet : Re: vpn isakmpd ipsec, one side with only one interface I have it working ;-) What i have done : Create a vether0 with : inet 172.17.2.21 255.255.255.0 Create a bridge0, add to it vether0 and the physical card... PF : filter the bridge Create the vpn, i can reach the ftp :-) Pretty cool Thank's to vether !! Cheers, Wesley MOUEDINE ASSABY On Thu, 16 Feb 2012 14:03:54 +0100, Markus Wernig liste...@wernig.net wrote: Hi I'm not sure if this will work, but you could try creating a loopback interface (lo2) on FWC with the IP address that the FTP server should be reachable on and then set up a regular VPN between FWA and FWC just for that one IP address: ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... Then tell the FTP server to listen on the IP of the lo2 interface (172.17.2.21?) /m On 02/13/12 14:43, Wesley M. wrote: o;?Hi, I was using ipsec vpn between 2 OpenBSD Gateway. It worked very well. Here : ---rl0---[fwA]---rl1(internet)-sis1---[fwB with ftpd]---sis0--- Now we remove ftp services from fwB and put it on an other machine fwC with an internet connection (only one network card). is it possible to keep a vpn online from fwA and fwC, and so computersA can reach again ftp using vpn (provided by fwC). Perhaps i need to use vether on fwC so briged pf ? Here the old ipsec.conf from fwB: ike esp from 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA main auth hmac-sha1 enc aes-256 group modp1024 quick auth hmac-sha1 enc aes-256 group modp1024 psk demopassword My idea on fwC : add verther0 with : inet 172.17.2.21 255.255.255.0
Re: Re : vpn isakmpd ipsec, one side with only one interface
I know ssh works also very well. But the company has requierements : ipsec vpn with specific phase 1 and 2... Wesley. On Thu, 16 Feb 2012 19:18:09 + (GMT), Mik J mikyde...@yahoo.fr wrote: Hello, I have this configuration working without any bridge. Openbsd rl0 - LAN1 - Router - Internet - RemoteFW - LAN 2 - SomeDevice My PC is connected to a LAN1 switch, and it's able to ssh SomeDevice. As you can see my OpenBSD has just one interface and the VPN is mounted between OpenBSD and RemoteFW. - Mail original - De : Wesley M. open...@e-solutions.re @ : Markus Wernig liste...@wernig.net Cc : misc@openbsd.org Envoyi le : Jeudi 16 fivrier 2012 15h59 Objet : Re: vpn isakmpd ipsec, one side with only one interface I have it working ;-) What i have done : Create a vether0 with : inet 172.17.2.21 255.255.255.0 Create a bridge0, add to it vether0 and the physical card... PF : filter the bridge Create the vpn, i can reach the ftp :-) Pretty cool Thank's to vether !! Cheers, Wesley MOUEDINE ASSABY On Thu, 16 Feb 2012 14:03:54 +0100, Markus Wernig liste...@wernig.net wrote: Hi I'm not sure if this will work, but you could try creating a loopback interface (lo2) on FWC with the IP address that the FTP server should be reachable on and then set up a regular VPN between FWA and FWC just for that one IP address: ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... Then tell the FTP server to listen on the IP of the lo2 interface (172.17.2.21?) /m On 02/13/12 14:43, Wesley M. wrote: o;?Hi, I was using ipsec vpn between 2 OpenBSD Gateway. It worked very well. Here : ---rl0---[fwA]---rl1(internet)-sis1---[fwB with ftpd]---sis0--- Now we remove ftp services from fwB and put it on an other machine fwC with an internet connection (only one network card). is it possible to keep a vpn online from fwA and fwC, and so computersA can reach again ftp using vpn (provided by fwC). Perhaps i need to use vether on fwC so briged pf ? Here the old ipsec.conf from fwB: ike esp from 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA main auth hmac-sha1 enc aes-256 group modp1024 quick auth hmac-sha1 enc aes-256 group modp1024 psk demopassword My idea on fwC : add verther0 with : inet 172.17.2.21 255.255.255.0
vpn isakmpd ipsec, one side with only one interface
o;?Hi, I was using ipsec vpn between 2 OpenBSD Gateway. It worked very well. Here : ---rl0---[fwA]---rl1(internet)-sis1---[fwB with ftpd]---sis0--- Now we remove ftp services from fwB and put it on an other machine fwC with an internet connection (only one network card). is it possible to keep a vpn online from fwA and fwC, and so computersA can reach again ftp using vpn (provided by fwC). Perhaps i need to use vether on fwC so briged pf ? Here the old ipsec.conf from fwB: ike esp from 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA main auth hmac-sha1 enc aes-256 group modp1024 quick auth hmac-sha1 enc aes-256 group modp1024 psk demopassword My idea on fwC : add verther0 with : inet 172.17.2.21 255.255.255.0 Need help ;-) Thank you very much. Wesley.