On 12 April 2011 23:53, Matt S <maschwa...@yahoo.com> wrote:
> Hello @misc:
>
> I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
> However, I would like the remote site to route all of its traffic through
the
> VPN. After googling, I seemed to come up with a suggestion to do a route
change
> -net 0.0.0.0/0 <gateway> which didn't work well. I think it might have to
do
> with NAT. The main office is doing the NAT. Perhaps I need to some sort of
NAT
> traversal on the VPN??
>
> Here is my setup:
>
> --Main Office--
> cat /etc/ipsec.conf:
> me="A.B.C.D"
> mypeer="E.F.G.H"
> mypsk="mypsk"
>
> ike passive esp from $me to $mypeer peer $mypeer \
> main auth hmac-sha1 enc 3des group modp1024 \
> srcid $me dstid $mypeer \
> psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.1 255.255.255.252 172.16.254.2
> tunnel A.B.C.D E.F.G.H
> !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
>
> cat /etc/pf.conf:
> set skip on {lo, gre0, enc0}
>
> anchor "ftp-proxy/*"
>
> block in log all
> pass out all
>
> antispoof for tun0
> table <bruteforce> persist
> table <trustednets> {10.40.60.0/24, 10.40.65.0/24}
>
> match out on tun0 from <trustednets> to any nat-to (tun0)
>
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick proto tcp from localhost to any port {http,https} rdr-to
127.0.0.1
> port 3128
> pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> block log quick from <bruteforce>
> pass inet proto icmp all icmp-type {echoreq, unreach}
> pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
> 6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to
10.40.60.1
> pass on em0 from <trustednets> to any
>
>
> --Branch Office--
> cat /etc/ipsec.conf:
> me="E.F.G.H"
> mypeer="A.B.C.D"
> mypsk="mypsk"
>
> ike esp from $me to $mypeer peer $mypeer \
> main auth hmac-sha1 enc 3des group modp1024 \
> srcid $me dstid $mypeer \
> psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.2 255.255.255.252 172.16.254.1
> tunnel E.F.G.H A.B.C.D
> !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
>
> Firewall disabled for now - nothing other than sshd and isakmpd are
running.
>
> Thanks,
> Matt
>
>
I do that with openvpn.
You need to add a default route to the other vpn end (so that every
traffic goes through the tunnel)
Then you add a host route to the external address of the other way via
the local gateway (so that the tunnel will work).
Since host routes have priority over network routes, this works fine.
You obviously need to nat the incoming traffic from the tunnel to the
outside world.
