vpn and routing

Tue, 05 Dec 2006 15:24:39 -0800 

Hello,

I am lost in a routing problem or a very simple NAT trouble I can't
resolve. OpenBSD 4.0 GENERIC kernel except for the RAID. My network
looks like this:

ISP -- router1 -- VPN -- router2 (em1: 193.189.180.129)
                            (bge1: 10.1.1.11)

It looks like NAT isn't working. Test:

# ping -I 10.1.1.11 -c2 209.85.129.147
PING 209.85.129.147 (209.85.129.147): 56 data bytes
--- 209.85.129.147 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

The packets are arriving on my ext_if but not into the tunnel.
# tcpdump -i em1 icmp
tcpdump: listening on em1, link-type EN10MB
23:54:14.180023 193.189.180.129 > fk-in-f147.google.com: icmp: echo request
23:54:15.190011 193.189.180.129 > fk-in-f147.google.com: icmp: echo request
23:54:16.200010 193.189.180.129 > fk-in-f147.google.com: icmp: echo request

ping -c2 209.85.129.147 from ext_if is just working fine.

# tcpdump -i enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0, link-type ENC
00:02:13.582222 (authentic,confidential): SPI 0xceaad5b0:
193.189.180.129 > fk-in-f147.google.com: icmp: echo request (encap)
00:02:13.582255 (authentic,confidential): SPI 0x1bbc2fc6: esp
172.16.16.6 > 172.16.15.6 spi 0xCEAAD5B0 seq 648 len 132 (encap)
00:02:13.618286 (authentic,confidential): SPI 0x3bf920e4: esp
172.16.15.6 > 172.16.16.6 spi 0x127C2A0B seq 639 len 132 (encap)
00:02:13.618304 (authentic,confidential): SPI 0x127c2a0b:
fk-in-f147.google.com > 193.189.180.129: icmp: echo reply (encap)
00:02:14.590019 (authentic,confidential): SPI 0xceaad5b0:
193.189.180.129 > fk-in-f147.google.com: icmp: echo request (encap)

I am not sure what/(and If) should I set mygate to. I set it to
193.189.180.129, it is the same as ext_if??? Any hint for me?

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1

# pfctl -e
pfctl: pf already enabled


pf.conf:
================================
ext_if="em1"
int_if="bge1"

scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

nat on $ext_if from $int_if:network to any -> ($ext_if:0)

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from <spamd> to port smtp \
        -> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
        -> 127.0.0.1 port spamd

anchor "ftp-proxy/*"

pass  in quick all
pass out quick all
================================


Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use    Mtu
Interface
default            193.189.180.129    UGS         2     2709      -   em1
10.1.1/24          link#4             UC          2        0      -   bge1
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          1        0  33224   lo0
172.16.15.6        172.16.16.5        UGHS        2      583      -   bge0
172.16.16.4/30     link#3             UC          1        0      -   bge0
172.16.16.5        00:90:69:c2:7c:00  UHLc        1        0      -   bge0
193.189.180.128/27 link#2             UC         30        0      -   em1
193.189.180.129    00:04:23:d4:fc:17  UHLc        1        0      -   lo0
193.189.180.130    00:50:04:68:1d:86  UHLc        0        2      -   em1
224/4              127.0.0.1          URS         0        0  33224   lo0

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
172.16.15.6/32     0     172.16.16.6/32     0     0
172.16.15.6/esp/use/in
172.16.16.6/32     0     172.16.15.6/32     0     0
172.16.15.6/esp/require/out
default            0     193.189.180.128/27 0     0
172.16.15.6/esp/use/in
193.189.180.128/27 0     default            0     0
172.16.15.6/esp/require/out


Mitja

Reply via email to