On Fri, Jun 17, 2005 at 11:29:03AM -0500, dontek wrote: > I have just configured a VPN tunnel between two OpenBSD firewalls / > gateways following the VPN man page nearly word-for-word. All is > working well... mostly: > > On either end, on machines behind the firewall, I can connect to any > service on any machine on the remote end. > > However, if I am on the the firewall machines themselves, I can ping > machines on the remote end, but service connection fails. > > for instance, I can ssh to a box on the remote end from a machine > behind the firewall, but if i attempt to ssh to the same remote box > from the firewall itself, i get a "connection refused". This is true > on both ends. > > Are there additional rules I need to put into pf for this type of > connectivity? What am I missing?
I'll guess that the ping works because you're using ping -I to specify the source address as an internal lan address. However your ssh will have the firewall's external address as its source address and it will not get encapsulated since there are no flows defined for gateway to network, only network to network. You could define additional SAs for the gateway to network connections, but I think just adding a route pointing to your inside interface will work. For example, if your gateway's internal address is 192.168.1.1 and the remote network is 10.10.10.0/24, on the gateway run: route add 10.10.10/24 192.168.1.1 -- stephen
