Is vpnc working on the OpenBSD box and just not routing for your internal network? Your pf.conf looks ok to me for the NAT part. Have you made sure net.inet.esp.enable=0 is in your sysctl.conf?
On Wed, Jun 4, 2008 at 8:15 AM, Matt Garman <[EMAIL PROTECTED]> wrote: > On Wed, Jun 04, 2008 at 02:08:02PM +1000, Rod Whitworth wrote: >> On Tue, 3 Jun 2008 22:49:10 -0500, Matt Garman wrote: >> >I've been using the "vpnc" program on Linux to connect to my >> >employer's network. The program also exists for OpenBSD, and >> >works great for my needs. >> > >> >I use my OpenBSD (3.9) install as a typical internet gateway, >> >firewall, NAT box. My pf script is virtually identical to the >> >example on the webpage. >> > >> >What I'd like to do is have my OBSD box to NAT on the tun device >> >(VPN tunnel). I.e., so I can use the VPN connection seamlessly >> >from any system on my home network. >> >> First thing you need to do is to get up to date with at least 4.3 >> installed. Nothing but 4.2 and 4.3 is supported. > > I've had the 4.2 CDs sitting on my desk for months now, just haven't > gotten around to installing! I'm hoping that my configuration and > question are simple enough that the version discrepancy won't > matter. > >> Then you need to realise that nobody here has ESP , so it's a bit >> hard to tell you what to change when your pf.conf is only hinted >> at. There are lots of pf.conf examples on webpages. > > Sorry, I meant to post it... it was late, and I was sleepy. It's > virtually identical to the example pf.conf on the OBSD web page > (http://openbsd.org/faq/pf/example1.html). You can see what I > added---lines with the vpn_if and vpn_addr macros, in an attempt to > get the functionality I want. > > Thanks again, > Matt > > > # macros > ext_if="vr0" > int_if="vr1" > vpn_if="tun0" > vpn_addr="192.168.187.0/24" > > tcp_services="{ 22, 113 }" > icmp_types="echoreq" > > # options > set block-policy return > set loginterface $ext_if > > set skip on lo > > # scrub > scrub in > > # nat/rdr > nat on $vpn_if from $int_if to $vpn_addr -> ($vpn_if) > nat on $ext_if from !($ext_if) -> ($ext_if:0) > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > > # filter rules > block in > > pass out keep state > > anchor "ftp-proxy/*" > antispoof quick for { lo $int_if } > > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state > pass in on $vpn_if inet proto tcp from any to ($vpn_if) \ > port $tcp_services flags S/SA keep state > > pass in inet proto icmp all icmp-type $icmp_types keep state > > pass quick on $int_if
