Oh, and the tunnel is only activated when ISA network tries to access
OBSD network. In the other way doesn't work.
On 9/5/07, JosC) Costa <[EMAIL PROTECTED]> wrote:
> I think that the patch works but I can't ping from the 10.0.0.0/24
> network to 10.0.1.0/24.
>
> I can ping from ISA to 10.0.0.1 (another VM connected), to 10.0.0.50
> (loopback1) and 10.0.0.254 (inside if).
>
> From OBSD, I can ping from 10.0.0.254 (ping -I 10.0.0.254) to
> 10.0.1.254 and (ping -I 10.0.0.50) 10.0.0.50 to 10.0.1.254.
>
> I can't ping from 172.26.10.82 and from the 10.0.0.1 machine.
>
> # ifconfig
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
> groups: lo
> inet 127.0.0.1 netmask 0xff000000
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> pcn0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:0c:29:f0:70:e0
> groups: egress
> media: Ethernet autoselect (autoselect)
> inet 172.26.10.82 netmask 0xffffff00 broadcast 172.26.10.255
> inet6 fe80::20c:29ff:fef0:70e0%pcn0 prefixlen 64 scopeid 0x1
> pcn1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:0c:29:f0:70:ea
> media: Ethernet autoselect (autoselect)
> inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
> inet6 fe80::20c:29ff:fef0:70ea%pcn1 prefixlen 64 scopeid 0x2
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
> enc0: flags=141<UP,RUNNING,PROMISC> mtu 1536
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
> groups: lo
> inet 10.0.0.50 netmask 0xff000000
>
> ------------------
>
> # cat /etc/pf.conf
> # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if="pcn0"
> int_if="pcn1"
>
> #table <spamd-white> persist
>
> set skip on { lo $int_if enc0 }
>
> #scrub in
>
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> nat on $ext_if from ! ($ext_if) -> ($ext_if:0)
> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
> #rdr pass on $ext_if proto tcp from any to any port smtp \
> # -> 127.0.0.1 port spamd
>
> #anchor "ftp-proxy/*"
>
> # Default Deny Rule
> block in
> #pass out
>
> #pass quick on $int_if no state
> #antispoof quick for { lo $int_if }
>
> # OpenSSH Access
> pass in on $ext_if proto tcp to ($ext_if) port ssh
>
> # SMTP Access
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>
> # Lan Access
> pass on $int_if all
>
> # IPSec Tunnel to ISA Server
> pass in quick on $ext_if proto icmp from 172.26.10.83 to ($ext_if)
> pass in quick on $ext_if proto udp from 172.26.10.83 to ($ext_if) port 500
> pass in quick on $ext_if proto esp from 172.26.10.83 to ($ext_if)
> pass out quick on $ext_if proto esp from ($ext_if) to 172.26.10.83
>
> # Outbound Access
> pass out keep state
>
> -----------------------------------
>
> # cat /etc/ipsec.conf
> # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
> #
> # See ipsec.conf(5) for syntax and examples.
>
> # Set up two tunnels using automatic keying with isakmpd(8):
> #
> # First between the networks 10.1.1.0/24 and 10.1.2.0/24,
> # second between the machines 192.168.3.1 and 192.168.3.2.
> # Use FQDNs as IDs.
>
> #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
> # srcid me.mylan.net dstid the.others.net
> #ike esp from 192.168.3.1 to 192.168.3.2 \
> # srcid me.mylan.net dstid the.others.net
>
> # Set up a tunnel using static keying:
> #
> # The first rule sets up the flow; the second sets up the SA. As default
> # transforms, ipsecctl(8) will use hmac-sha2-256 for authentication
> # and aes for encryption. hmac-sha2-256 uses a 256-bit key; aes
> # a 128-bit key.
>
> #flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2
> #esp from 192.168.3.1 to 192.168.3.2 spi 0xabd9da39:0xc9dbb83d \
> # authkey
> 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
> \
> # enckey
> 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
>
> ike esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des group modp1024 \
> psk teste tag teste
>
>
> On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > could you try the attached diff, please?
> >
> > Index: message.c
> > ===================================================================
> > RCS file: /cvs/src/sbin/isakmpd/message.c,v
> > retrieving revision 1.126
> > diff -u -p -r1.126 message.c
> > --- message.c 2 Jun 2007 01:29:11 -0000 1.126
> > +++ message.c 3 Sep 2007 22:30:46 -0000
> > @@ -927,6 +927,7 @@ message_validate_notify(struct message *
> > if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE ||
> > (type >= ISAKMP_NOTIFY_RESERVED_MIN &&
> > type < ISAKMP_NOTIFY_PRIVATE_MIN) ||
> > + type == ISAKMP_NOTIFY_STATUS_CONNECTED ||
> > (type >= ISAKMP_NOTIFY_STATUS_RESERVED1_MIN &&
> > type <= ISAKMP_NOTIFY_STATUS_RESERVED1_MAX) ||
> > (type >= ISAKMP_NOTIFY_STATUS_DOI_MIN &&
