I think that the patch works but I can't ping from the 10.0.0.0/24
network to 10.0.1.0/24.
I can ping from ISA to 10.0.0.1 (another VM connected), to 10.0.0.50
(loopback1) and 10.0.0.254 (inside if).
>From OBSD, I can ping from 10.0.0.254 (ping -I 10.0.0.254) to
10.0.1.254 and (ping -I 10.0.0.50) 10.0.0.50 to 10.0.1.254.
I can't ping from 172.26.10.82 and from the 10.0.0.1 machine.
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pcn0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:f0:70:e0
groups: egress
media: Ethernet autoselect (autoselect)
inet 172.26.10.82 netmask 0xffffff00 broadcast 172.26.10.255
inet6 fe80::20c:29ff:fef0:70e0%pcn0 prefixlen 64 scopeid 0x1
pcn1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:f0:70:ea
media: Ethernet autoselect (autoselect)
inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fef0:70ea%pcn1 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
enc0: flags=141<UP,RUNNING,PROMISC> mtu 1536
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 10.0.0.50 netmask 0xff000000
------------------
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="pcn0"
int_if="pcn1"
#table <spamd-white> persist
set skip on { lo $int_if enc0 }
#scrub in
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
nat on $ext_if from ! ($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd
#anchor "ftp-proxy/*"
# Default Deny Rule
block in
#pass out
#pass quick on $int_if no state
#antispoof quick for { lo $int_if }
# OpenSSH Access
pass in on $ext_if proto tcp to ($ext_if) port ssh
# SMTP Access
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
# Lan Access
pass on $int_if all
# IPSec Tunnel to ISA Server
pass in quick on $ext_if proto icmp from 172.26.10.83 to ($ext_if)
pass in quick on $ext_if proto udp from 172.26.10.83 to ($ext_if) port 500
pass in quick on $ext_if proto esp from 172.26.10.83 to ($ext_if)
pass out quick on $ext_if proto esp from ($ext_if) to 172.26.10.83
# Outbound Access
pass out keep state
-----------------------------------
# cat /etc/ipsec.conf
# $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#
# See ipsec.conf(5) for syntax and examples.
# Set up two tunnels using automatic keying with isakmpd(8):
#
# First between the networks 10.1.1.0/24 and 10.1.2.0/24,
# second between the machines 192.168.3.1 and 192.168.3.2.
# Use FQDNs as IDs.
#ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
# srcid me.mylan.net dstid the.others.net
#ike esp from 192.168.3.1 to 192.168.3.2 \
# srcid me.mylan.net dstid the.others.net
# Set up a tunnel using static keying:
#
# The first rule sets up the flow; the second sets up the SA. As default
# transforms, ipsecctl(8) will use hmac-sha2-256 for authentication
# and aes for encryption. hmac-sha2-256 uses a 256-bit key; aes
# a 128-bit key.
#flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2
#esp from 192.168.3.1 to 192.168.3.2 spi 0xabd9da39:0xc9dbb83d \
# authkey
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
\
# enckey
0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
ike esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk teste tag teste
On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> Hi,
>
> could you try the attached diff, please?
>
> Index: message.c
> ===================================================================
> RCS file: /cvs/src/sbin/isakmpd/message.c,v
> retrieving revision 1.126
> diff -u -p -r1.126 message.c
> --- message.c 2 Jun 2007 01:29:11 -0000 1.126
> +++ message.c 3 Sep 2007 22:30:46 -0000
> @@ -927,6 +927,7 @@ message_validate_notify(struct message *
> if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE ||
> (type >= ISAKMP_NOTIFY_RESERVED_MIN &&
> type < ISAKMP_NOTIFY_PRIVATE_MIN) ||
> + type == ISAKMP_NOTIFY_STATUS_CONNECTED ||
> (type >= ISAKMP_NOTIFY_STATUS_RESERVED1_MIN &&
> type <= ISAKMP_NOTIFY_STATUS_RESERVED1_MAX) ||
> (type >= ISAKMP_NOTIFY_STATUS_DOI_MIN &&
