Is vpnc working on the OpenBSD box and just not routing for your
internal network?  Your pf.conf looks ok to me for the NAT part.  Have
you made sure net.inet.esp.enable=0 is in your sysctl.conf?

On Wed, Jun 4, 2008 at 8:15 AM, Matt Garman <[EMAIL PROTECTED]> wrote:
> On Wed, Jun 04, 2008 at 02:08:02PM +1000, Rod Whitworth wrote:
>> On Tue, 3 Jun 2008 22:49:10 -0500, Matt Garman wrote:
>> >I've been using the "vpnc" program on Linux to connect to my
>> >employer's network.  The program also exists for OpenBSD, and
>> >works great for my needs.
>> >
>> >I use my OpenBSD (3.9) install as a typical internet gateway,
>> >firewall, NAT box.  My pf script is virtually identical to the
>> >example on the webpage.
>> >
>> >What I'd like to do is have my OBSD box to NAT on the tun device
>> >(VPN tunnel).  I.e., so I can use the VPN connection seamlessly
>> >from any system on my home network.
>>
>> First thing you need to do is to get up to date with at least 4.3
>> installed.  Nothing but 4.2 and 4.3 is supported.
>
> I've had the 4.2 CDs sitting on my desk for months now, just haven't
> gotten around to installing!  I'm hoping that my configuration and
> question are simple enough that the version discrepancy won't
> matter.
>
>> Then you need to realise that nobody here has ESP , so it's a bit
>> hard to tell you what to change when your pf.conf is only hinted
>> at. There are lots of pf.conf examples on webpages.
>
> Sorry, I meant to post it... it was late, and I was sleepy.  It's
> virtually identical to the example pf.conf on the OBSD web page
> (http://openbsd.org/faq/pf/example1.html).  You can see what I
> added---lines with the vpn_if and vpn_addr macros, in an attempt to
> get the functionality I want.
>
> Thanks again,
> Matt
>
>
> # macros
> ext_if="vr0"
> int_if="vr1"
> vpn_if="tun0"
> vpn_addr="192.168.187.0/24"
>
> tcp_services="{ 22, 113 }"
> icmp_types="echoreq"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> set skip on lo
>
> # scrub
> scrub in
>
> # nat/rdr
> nat on $vpn_if from $int_if to $vpn_addr -> ($vpn_if)
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> # filter rules
> block in
>
> pass out keep state
>
> anchor "ftp-proxy/*"
> antispoof quick for { lo $int_if }
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>   port $tcp_services flags S/SA keep state
> pass in on $vpn_if inet proto tcp from any to ($vpn_if) \
>   port $tcp_services flags S/SA keep state
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
> pass quick on $int_if

Reply via email to