On Thu, 3 Dec 2009 02:24:18 -0800 Paul <pa...@rawbw.com> wrote: > > I even tried using the pf.conf file listed in that > > file (while making changes to suit my configuration)... no dice. > > > > First, I would double check the pf rules. One way is to have pf log packets > that get blocked and then run tcpdump on the pflog0 interface: > > #tcpdump -e -i pflog0 > > When the -e flag is used on plog0, tcpdump will print the interface on which > the packet arrived and the reason for dropping it. If something shows up for > enc0, then the pf rules aren't right. > > In addition to these rules (taken from tutorial you referenced): > > # Passing in traffic from the designated subnets. > pass in quick on enc0 from $NETWORK_A to $NETWORK_B > pass out quick on enc0 from $NETWORK_B to $NETWORK_A > > you might add this to each pf.conf on the gateways: > > pass in on enc0 from $REMOTE_GATEWAY to $LOCAL_GATEWAY keep state > (if-bound) > > Though this rule doesn't seem necessary, it has made my implementations work. > I'd be curious to know if it solves your problem. > > ( According to the enc(4) man page, rules on the enc0 interface should > explicity declare state as interface bound, e.g., 'keep state (if-bound)' ). > > Also, for debugging, you might try to simplify you ipsec.conf and just set up > one tunnel to protect traffic between the two 192.168 networks. Basically, > reduce the ipsec.conf files to this: > > obsd-ipsec-left: > ike passive esp from 192.168.120.0/24 to 192.168.33.0/24 peer 10.255.255.6 > > obsd-ipsec-right: > ike esp from 192.168.33.0/24 to 192.168.120.0/24 peer 10.255.255.5
Hello Paul, could you please help with this? Laptop connecting to a myplace.org server, passing by a natted D-Link router. Both OBSD-4.6. pf=NO ipsec.conf server in my place.org: ike passive esp from myplace.org to 0.0.0.0/0 peer 0.0.0.0/0 Client (anywhere outside): ike esp from 0.0.0.0/0 to myplace.org peer 192.168.2.2 How to declare 0.0.0.0/0 and/or any; into /etc/isakmpd/pubkeys? and where? I have tried naming it 0.0.0.0/0 in ipv4, and any in fqdn, but it is not identified. Thanks -- openbbs...@gmail.com
