On Wed, Dec 2, 2009 at 11:02 AM, Bryan Irvine <sparcta...@gmail.com> wrote: >> Does somebody know about an updated guide/tutorial? > > ipsec(4) > ipsec.conf(5) > isakmpd(8) > > -B > >
The saga continues. The guide I've been following is at http://www.openbsdsupport.org/vpn-ipsec.html - it's a bit outdated but it seems to work up to setting up the tunnel. isakmpd -d showed no errors at all, however I can't seem to be able to route data across the secure channel. obsd-ipsec-right# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface 10.255.255.4/30 link#2 UC 2 0 - 4 vic1 10.255.255.5 00:0c:29:f6:20:80 UHLc 2 108 - 4 vic1 10.255.255.6 00:0c:29:e1:29:2c UHLc 0 0 - 4 lo0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 2 291 33200 4 lo0 192.168.33/24 link#1 UC 3 0 - 4 vic0 192.168.33.1 00:50:56:c0:00:06 UHLc 0 4 - 4 vic0 192.168.33.2 link#1 UHLc 0 1 - 4 vic0 192.168.33.7 127.0.0.1 UGHS 0 2 33200 8 lo0 192.168.33.253 link#1 UHLc 1 24 - 4 vic0 224/4 127.0.0.1 URS 0 0 33200 8 lo0 Internet6: <cruft> Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.120/24 0 192.168.33/24 0 0 10.255.255.5/esp/use/in 192.168.33/24 0 192.168.120/24 0 0 10.255.255.5/esp/require/out obsd-ipsec-right# ping 192.168.120.130 PING 192.168.120.130 (192.168.120.130): 56 data bytes ping: sendto: No route to host ping: wrote 192.168.120.130 64 chars, ret=-1 --- 192.168.120.130 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss obsd-ipsec-left# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface 10.255.255.4/30 link#2 UC 2 0 - 4 vic1 10.255.255.5 00:0c:29:f6:20:80 UHLc 0 0 - 4 lo0 10.255.255.6 link#2 UHLc 2 100 - 4 vic1 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 2 288 33200 4 lo0 192.168.120/24 link#1 UC 2 0 - 4 vic0 192.168.120.1 00:50:56:c0:00:01 UHLc 0 24 - 4 vic0 192.168.120.130 127.0.0.1 UGHS 0 0 33200 8 lo0 192.168.120.254 00:50:56:e0:b4:04 UHLc 1 25 - 4 vic0 224/4 127.0.0.1 URS 0 0 33200 8 lo0 Internet6: <cruft> Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.33/24 0 192.168.120/24 0 0 10.255.255.6/esp/use/in 192.168.120/24 0 192.168.33/24 0 0 10.255.255.6/esp/require/out obsd-ipsec-left# ping 192.168.33.7 PING 192.168.33.7 (192.168.33.7): 56 data bytes ping: sendto: No route to host ping: wrote 192.168.33.7 64 chars, ret=-1 --- 192.168.33.7 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss I tried setting up a static route pointing at the networks on either side, but these seem to pass unencrypted - when I listen on enc0, nothing appears. I even tried using the pf.conf file listed in that file (while making changes to suit my configuration)... no dice. Any ideas? I'm already using a PSK and tried using PKI, but only one side seemed to be encrypted. Thanks -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
