> -----Urspr|ngliche Nachricht----- > Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] > Im Auftrag von Aaron Mason > Gesendet: Mittwoch, 2. Dezember 2009 23:14 > An: OpenBSD > Betreff: Re: IPSec Blues > > > On Wed, Dec 2, 2009 at 11:02 AM, Bryan Irvine > <sparcta...@gmail.com> wrote: > >> Does somebody know about an updated guide/tutorial? > > > > ipsec(4) > > ipsec.conf(5) > > isakmpd(8) > > > > -B > > > > > > The saga continues. > > The guide I've been following is at > http://www.openbsdsupport.org/vpn-ipsec.html - it's a bit > outdated but it seems to work up to setting up the tunnel. > isakmpd -d showed no errors at all, however I can't seem to > be able to route data across the secure channel. > > obsd-ipsec-right# netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use > Mtu Prio Iface > 10.255.255.4/30 link#2 UC 2 0 > - 4 vic1 > 10.255.255.5 00:0c:29:f6:20:80 UHLc 2 108 > - 4 vic1 > 10.255.255.6 00:0c:29:e1:29:2c UHLc 0 0 > - 4 lo0 > 127/8 127.0.0.1 UGRS 0 0 > 33200 8 lo0 > 127.0.0.1 127.0.0.1 UH 2 291 > 33200 4 lo0 > 192.168.33/24 link#1 UC 3 0 > - 4 vic0 > 192.168.33.1 00:50:56:c0:00:06 UHLc 0 4 > - 4 vic0 > 192.168.33.2 link#1 UHLc 0 1 > - 4 vic0 > 192.168.33.7 127.0.0.1 UGHS 0 2 > 33200 8 lo0 > 192.168.33.253 link#1 UHLc 1 24 > - 4 vic0 > 224/4 127.0.0.1 URS 0 0 > 33200 8 lo0 > > Internet6: > <cruft> > > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > 192.168.120/24 0 192.168.33/24 0 0 > 10.255.255.5/esp/use/in > 192.168.33/24 0 192.168.120/24 0 0 > 10.255.255.5/esp/require/out > obsd-ipsec-right# ping 192.168.120.130 > PING 192.168.120.130 (192.168.120.130): 56 data bytes > ping: sendto: No route to host > ping: wrote 192.168.120.130 64 chars, ret=-1 > --- 192.168.120.130 ping statistics --- > 1 packets transmitted, 0 packets received, 100.0% packet loss > > > obsd-ipsec-left# netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use > Mtu Prio Iface > 10.255.255.4/30 link#2 UC 2 0 > - 4 vic1 > 10.255.255.5 00:0c:29:f6:20:80 UHLc 0 0 > - 4 lo0 > 10.255.255.6 link#2 UHLc 2 100 > - 4 vic1 > 127/8 127.0.0.1 UGRS 0 0 > 33200 8 lo0 > 127.0.0.1 127.0.0.1 UH 2 288 > 33200 4 lo0 > 192.168.120/24 link#1 UC 2 0 > - 4 vic0 > 192.168.120.1 00:50:56:c0:00:01 UHLc 0 24 > - 4 vic0 > 192.168.120.130 127.0.0.1 UGHS 0 0 > 33200 8 lo0 > 192.168.120.254 00:50:56:e0:b4:04 UHLc 1 25 > - 4 vic0 > 224/4 127.0.0.1 URS 0 0 > 33200 8 lo0 > > Internet6: > <cruft> > > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > 192.168.33/24 0 192.168.120/24 0 0 > 10.255.255.6/esp/use/in > 192.168.120/24 0 192.168.33/24 0 0 > 10.255.255.6/esp/require/out > obsd-ipsec-left# ping 192.168.33.7 > PING 192.168.33.7 (192.168.33.7): 56 data bytes > ping: sendto: No route to host > ping: wrote 192.168.33.7 64 chars, ret=-1 > --- 192.168.33.7 ping statistics --- > 1 packets transmitted, 0 packets received, 100.0% packet loss > > I tried setting up a static route pointing at the networks on > either side, but these seem to pass unencrypted - when I > listen on enc0, nothing appears. I even tried using the > pf.conf file listed in that file (while making changes to > suit my configuration)... no dice. > > Any ideas? I'm already using a PSK and tried using PKI, but > only one side seemed to be encrypted. > > Thanks > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse > >
I did not follow the complete thread. I'd just like to mention that I regularly get trapped with 'no route to host' when I set up new ipsec tunnels. In most cases I forgot to fix pf.conf for the new tunnel. Do you use pf? Regards Christoph
