On Fri, Jun 06, 2008 at 07:08:08AM -0500, dontek wrote: > Is vpnc working on the OpenBSD box and just not routing for your > internal network? Your pf.conf looks ok to me for the NAT part. Have > you made sure net.inet.esp.enable=0 is in your sysctl.conf?
Indeed, my sysctl.conf is set correctly, and vpnc works as expected on OpenBSD. > On Wed, Jun 4, 2008 at 8:15 AM, Matt Garman <[EMAIL PROTECTED]> wrote: > > On Wed, Jun 04, 2008 at 02:08:02PM +1000, Rod Whitworth wrote: > >> On Tue, 3 Jun 2008 22:49:10 -0500, Matt Garman wrote: > >> >I've been using the "vpnc" program on Linux to connect to my > >> >employer's network. The program also exists for OpenBSD, and > >> >works great for my needs. > >> > > >> >I use my OpenBSD (3.9) install as a typical internet gateway, > >> >firewall, NAT box. My pf script is virtually identical to the > >> >example on the webpage. > >> > > >> >What I'd like to do is have my OBSD box to NAT on the tun device > >> >(VPN tunnel). I.e., so I can use the VPN connection seamlessly > >> >from any system on my home network. > >> > >> First thing you need to do is to get up to date with at least 4.3 > >> installed. Nothing but 4.2 and 4.3 is supported. > > > > I've had the 4.2 CDs sitting on my desk for months now, just haven't > > gotten around to installing! I'm hoping that my configuration and > > question are simple enough that the version discrepancy won't > > matter. > > > >> Then you need to realise that nobody here has ESP , so it's a bit > >> hard to tell you what to change when your pf.conf is only hinted > >> at. There are lots of pf.conf examples on webpages. > > > > Sorry, I meant to post it... it was late, and I was sleepy. It's > > virtually identical to the example pf.conf on the OBSD web page > > (http://openbsd.org/faq/pf/example1.html). You can see what I > > added---lines with the vpn_if and vpn_addr macros, in an attempt to > > get the functionality I want. > > > > Thanks again, > > Matt > > > > > > # macros > > ext_if="vr0" > > int_if="vr1" > > vpn_if="tun0" > > vpn_addr="192.168.187.0/24" > > > > tcp_services="{ 22, 113 }" > > icmp_types="echoreq" > > > > # options > > set block-policy return > > set loginterface $ext_if > > > > set skip on lo > > > > # scrub > > scrub in > > > > # nat/rdr > > nat on $vpn_if from $int_if to $vpn_addr -> ($vpn_if) > > nat on $ext_if from !($ext_if) -> ($ext_if:0) > > nat-anchor "ftp-proxy/*" > > rdr-anchor "ftp-proxy/*" > > > > # filter rules > > block in > > > > pass out keep state > > > > anchor "ftp-proxy/*" > > antispoof quick for { lo $int_if } > > > > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > > port $tcp_services flags S/SA keep state > > pass in on $vpn_if inet proto tcp from any to ($vpn_if) \ > > port $tcp_services flags S/SA keep state > > > > pass in inet proto icmp all icmp-type $icmp_types keep state > > > > pass quick on $int_if
