Oh, and the tunnel is only activated when ISA network tries to access OBSD network. In the other way doesn't work.
On 9/5/07, JosC) Costa <[EMAIL PROTECTED]> wrote: > I think that the patch works but I can't ping from the 10.0.0.0/24 > network to 10.0.1.0/24. > > I can ping from ISA to 10.0.0.1 (another VM connected), to 10.0.0.50 > (loopback1) and 10.0.0.254 (inside if). > > From OBSD, I can ping from 10.0.0.254 (ping -I 10.0.0.254) to > 10.0.1.254 and (ping -I 10.0.0.50) 10.0.0.50 to 10.0.1.254. > > I can't ping from 172.26.10.82 and from the 10.0.0.1 machine. > > # ifconfig > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 > groups: lo > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > pcn0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:0c:29:f0:70:e0 > groups: egress > media: Ethernet autoselect (autoselect) > inet 172.26.10.82 netmask 0xffffff00 broadcast 172.26.10.255 > inet6 fe80::20c:29ff:fef0:70e0%pcn0 prefixlen 64 scopeid 0x1 > pcn1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:0c:29:f0:70:ea > media: Ethernet autoselect (autoselect) > inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255 > inet6 fe80::20c:29ff:fef0:70ea%pcn1 prefixlen 64 scopeid 0x2 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 > enc0: flags=141<UP,RUNNING,PROMISC> mtu 1536 > lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 > groups: lo > inet 10.0.0.50 netmask 0xff000000 > > ------------------ > > # cat /etc/pf.conf > # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ > # > # See pf.conf(5) and /usr/share/pf for syntax and examples. > # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > ext_if="pcn0" > int_if="pcn1" > > #table <spamd-white> persist > > set skip on { lo $int_if enc0 } > > #scrub in > > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > nat on $ext_if from ! ($ext_if) -> ($ext_if:0) > #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp > #rdr pass on $ext_if proto tcp from any to any port smtp \ > # -> 127.0.0.1 port spamd > > #anchor "ftp-proxy/*" > > # Default Deny Rule > block in > #pass out > > #pass quick on $int_if no state > #antispoof quick for { lo $int_if } > > # OpenSSH Access > pass in on $ext_if proto tcp to ($ext_if) port ssh > > # SMTP Access > #pass in log on $ext_if proto tcp to ($ext_if) port smtp > #pass out log on $ext_if proto tcp from ($ext_if) to port smtp > > # Lan Access > pass on $int_if all > > # IPSec Tunnel to ISA Server > pass in quick on $ext_if proto icmp from 172.26.10.83 to ($ext_if) > pass in quick on $ext_if proto udp from 172.26.10.83 to ($ext_if) port 500 > pass in quick on $ext_if proto esp from 172.26.10.83 to ($ext_if) > pass out quick on $ext_if proto esp from ($ext_if) to 172.26.10.83 > > # Outbound Access > pass out keep state > > ----------------------------------- > > # cat /etc/ipsec.conf > # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ > # > # See ipsec.conf(5) for syntax and examples. > > # Set up two tunnels using automatic keying with isakmpd(8): > # > # First between the networks 10.1.1.0/24 and 10.1.2.0/24, > # second between the machines 192.168.3.1 and 192.168.3.2. > # Use FQDNs as IDs. > > #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \ > # srcid me.mylan.net dstid the.others.net > #ike esp from 192.168.3.1 to 192.168.3.2 \ > # srcid me.mylan.net dstid the.others.net > > # Set up a tunnel using static keying: > # > # The first rule sets up the flow; the second sets up the SA. As default > # transforms, ipsecctl(8) will use hmac-sha2-256 for authentication > # and aes for encryption. hmac-sha2-256 uses a 256-bit key; aes > # a 128-bit key. > > #flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2 > #esp from 192.168.3.1 to 192.168.3.2 spi 0xabd9da39:0xc9dbb83d \ > # authkey > 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 > \ > # enckey > 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d > > ike esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group modp1024 \ > psk teste tag teste > > > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > > Hi, > > > > could you try the attached diff, please? > > > > Index: message.c > > =================================================================== > > RCS file: /cvs/src/sbin/isakmpd/message.c,v > > retrieving revision 1.126 > > diff -u -p -r1.126 message.c > > --- message.c 2 Jun 2007 01:29:11 -0000 1.126 > > +++ message.c 3 Sep 2007 22:30:46 -0000 > > @@ -927,6 +927,7 @@ message_validate_notify(struct message * > > if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE || > > (type >= ISAKMP_NOTIFY_RESERVED_MIN && > > type < ISAKMP_NOTIFY_PRIVATE_MIN) || > > + type == ISAKMP_NOTIFY_STATUS_CONNECTED || > > (type >= ISAKMP_NOTIFY_STATUS_RESERVED1_MIN && > > type <= ISAKMP_NOTIFY_STATUS_RESERVED1_MAX) || > > (type >= ISAKMP_NOTIFY_STATUS_DOI_MIN &&