I have two OpenBSD nat / router machines and I am trying to successfully get a vpn going between the two. OpenBSD box A is OpenBSD 3.9 , with internal network 192.168.0.0/24 and external address 1.2.3.4 (or something like that). OpenBSD box B is OpenBSD 3.8, with internal network 192.168.51.0/24 and external address 4.3.2.1 . So far I have followed the instructions in man vpn(8) , and have partially succeeded in configuring a vpn between the two using manual keys / ipsecctl / ipsec.conf method. My ipsec.conf from gateway A is:
flow esp from 192.168.0.0/24 to 192.168.51.0/24 peer 4.3.2.1 esp from 1.2.3.4 to 4.3.2.1 spi 0x80081355:0x13558008 auth hmac-sha2-512 enc 3des-cbc authkey file "/etc/ipsec/auth_key.puffy:/etc/ipsec/auth_key.uptowns" enckey file "/etc/ipsec/enc_key.puffy:/etc/ipsec/enc_key.uptowns" and my ipsec.conf from gateway B is: flow esp from 192.168.51.0/24 to 192.168.0.0/24 peer 1.2.3.4 esp from 4.3.2.1 to 1.2.3.4 spi 0x13558008:0x80081355 auth hmac-sha2-512 enc 3des-cbc authkey file "/etc/ipsec/auth_key.uptowns:/etc/ipsec/auth_key.puffy" enckey file "/etc/ipsec/enc_key.uptowns:/etc/ipsec/enc_key.puffy" my pf.conf on both boxes is configured in a manner similar to the described scenario in the vpn man page. when I issue the following from gateway A: ping -I 192.168.0.1 192.168.51.1 pings are successful, and when I do a tcpdump on the esp interface it does indeed appear to be traversing the esp interface. The problem is when I try to ping any machine from network A to 192.168.51.0/24 (gateway B's internal network) besides the gateway itsself (192.168.51.1), ping doesn't work. Same is true for pinging from network B to 192.168.0.0/24 , excepting gateway A itsself, and only then from the gateway B machine. So basically, ipsec / vpn appears to be working, but for some reason traffic from other hosts behinds these gateways isn't being forwarded. Where should I begin to look for the problems? I have pf set to log anything blocked , and looking at pflog doesn't show any relevant traffic being blocked. NAT is being used on both of these gateways, and all boxes inside each respective gateway are able to reach the internet without problems. Thanks in advance Nathan Johnson
