On 17/06/05, Stephen Marley <[EMAIL PROTECTED]> wrote: > On Fri, Jun 17, 2005 at 11:29:03AM -0500, dontek wrote: > > I have just configured a VPN tunnel between two OpenBSD firewalls / > > gateways following the VPN man page nearly word-for-word. All is > > working well... mostly: > > > > On either end, on machines behind the firewall, I can connect to any > > service on any machine on the remote end. > > > > However, if I am on the the firewall machines themselves, I can ping > > machines on the remote end, but service connection fails. > > > > for instance, I can ssh to a box on the remote end from a machine > > behind the firewall, but if i attempt to ssh to the same remote box > > from the firewall itself, i get a "connection refused". This is true > > on both ends. > > > > Are there additional rules I need to put into pf for this type of > > connectivity? What am I missing? > > I'll guess that the ping works because you're using ping -I to specify > the source address as an internal lan address. However your ssh will > have the firewall's external address as its source address and it will > not get encapsulated since there are no flows defined for gateway to > network, only network to network. > > You could define additional SAs for the gateway to network connections, > but I think just adding a route pointing to your inside interface will > work. For example, if your gateway's internal address is 192.168.1.1 and > the remote network is 10.10.10.0/24, on the gateway run: > route add 10.10.10/24 192.168.1.1 >
If you use ping -I, how about ssh -b also ? /Tony
