Christiano:
Thanks for your help. So, if I am understanding correctly, I need to create
the
following routes on the branch office router (OpenBSD):
route change -net 0.0.0.0/0 172.16.254.2 #I tried using 10.40.60.1 as the
gateway and I got a network unreachable error
route add -host 172.16.254.2 A.B.C.D.E
My setup is using a GRE tunnel. I have the GRE Tunnel endpoints configured on
/30 subnet. There might be a gap in my understanding.
Thank you again,
Matt
On 12 April 2011 23:53, Matt S <maschwa...@yahoo.com> wrote:
> Hello @misc:
>
> I am up against a stumper. I have a Site-to-Site IPSEC VPN working
>beautifully.
> However, I would like the remote site to route all of its traffic through the
> VPN. After googling, I seemed to come up with a suggestion to do a route
>change
> -net 0.0.0.0/0 <gateway> which didn't work well. I think it might have to do
> with NAT. The main office is doing the NAT. Perhaps I need to some sort of
>NAT
> traversal on the VPN??
>
> Here is my setup:
>
> --Main Office--
> cat /etc/ipsec.conf:
> me="A.B.C.D"
> mypeer="E.F.G.H"
> mypsk="mypsk"
>
> ike passive esp from $me to $mypeer peer $mypeer \
> main auth hmac-sha1 enc 3des group modp1024 \
> srcid $me dstid $mypeer \
> psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.1 255.255.255.252 172.16.254.2
> tunnel A.B.C.D E.F.G.H
> !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
>
> cat /etc/pf.conf:
> set skip on {lo, gre0, enc0}
>
> anchor "ftp-proxy/*"
>
> block in log all
> pass out all
>
> antispoof for tun0
> table <bruteforce> persist
> table <trustednets> {10.40.60.0/24, 10.40.65.0/24}
>
> match out on tun0 from <trustednets> to any nat-to (tun0)
>
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick proto tcp from localhost to any port {http,https} rdr-to
>127.0.0.1
> port 3128
> pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> block log quick from <bruteforce>
> pass inet proto icmp all icmp-type {echoreq, unreach}
> pass in on tun0 inet proto tcp from any to any port ssh keep state
>(max-src-conn
> 6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to
10.40.60.1
> pass on em0 from <trustednets> to any
>
>
> --Branch Office--
> cat /etc/ipsec.conf:
> me="E.F.G.H"
> mypeer="A.B.C.D"
> mypsk="mypsk"
>
> ike esp from $me to $mypeer peer $mypeer \
> main auth hmac-sha1 enc 3des group modp1024 \
> srcid $me dstid $mypeer \
> psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.2 255.255.255.252 172.16.254.1
> tunnel E.F.G.H A.B.C.D
> !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
>
> Firewall disabled for now - nothing other than sshd and isakmpd are running.
>
> Thanks,
> Matt
>
>
I do that with openvpn.
You need to add a default route to the other vpn end (so that every
traffic goes through the tunnel)
Then you add a host route to the external address of the other way via
the local gateway (so that the tunnel will work).
Since host routes have priority over network routes, this works fine.
You obviously need to nat the incoming traffic from the tunnel to the
outside world.
