On Thu, Dec 3, 2009 at 10:19 PM, Christoph Leser <le...@sup-logistik.de> wrote: >> -----Urspr|ngliche Nachricht----- >> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] >> Im Auftrag von Aaron Mason >> Gesendet: Mittwoch, 2. Dezember 2009 23:14 >> An: OpenBSD >> Betreff: Re: IPSec Blues >> >> >> On Wed, Dec 2, 2009 at 11:02 AM, Bryan Irvine >> <sparcta...@gmail.com> wrote: >> >> Does somebody know about an updated guide/tutorial? >> > >> > ipsec(4) >> > ipsec.conf(5) >> > isakmpd(8) >> > >> > -B >> > >> > >> >> The saga continues. >> >> The guide I've been following is at >> http://www.openbsdsupport.org/vpn-ipsec.html - it's a bit >> outdated but it seems to work up to setting up the tunnel. >> isakmpd -d showed no errors at all, however I can't seem to >> be able to route data across the secure channel. >> >> obsd-ipsec-right# netstat -rn >> Routing tables >> >> Internet: >> Destination Gateway Flags Refs Use >> Mtu Prio Iface >> 10.255.255.4/30 link#2 UC 2 0 >> - 4 vic1 >> 10.255.255.5 00:0c:29:f6:20:80 UHLc 2 108 >> - 4 vic1 >> 10.255.255.6 00:0c:29:e1:29:2c UHLc 0 0 >> - 4 lo0 >> 127/8 127.0.0.1 UGRS 0 0 >> 33200 8 lo0 >> 127.0.0.1 127.0.0.1 UH 2 291 >> 33200 4 lo0 >> 192.168.33/24 link#1 UC 3 0 >> - 4 vic0 >> 192.168.33.1 00:50:56:c0:00:06 UHLc 0 4 >> - 4 vic0 >> 192.168.33.2 link#1 UHLc 0 1 >> - 4 vic0 >> 192.168.33.7 127.0.0.1 UGHS 0 2 >> 33200 8 lo0 >> 192.168.33.253 link#1 UHLc 1 24 >> - 4 vic0 >> 224/4 127.0.0.1 URS 0 0 >> 33200 8 lo0 >> >> Internet6: >> <cruft> >> >> Encap: >> Source Port Destination Port Proto >> SA(Address/Proto/Type/Direction) >> 192.168.120/24 0 192.168.33/24 0 0 >> 10.255.255.5/esp/use/in >> 192.168.33/24 0 192.168.120/24 0 0 >> 10.255.255.5/esp/require/out >> obsd-ipsec-right# ping 192.168.120.130 >> PING 192.168.120.130 (192.168.120.130): 56 data bytes >> ping: sendto: No route to host >> ping: wrote 192.168.120.130 64 chars, ret=-1 >> --- 192.168.120.130 ping statistics --- >> 1 packets transmitted, 0 packets received, 100.0% packet loss >> >> >> obsd-ipsec-left# netstat -rn >> Routing tables >> >> Internet: >> Destination Gateway Flags Refs Use >> Mtu Prio Iface >> 10.255.255.4/30 link#2 UC 2 0 >> - 4 vic1 >> 10.255.255.5 00:0c:29:f6:20:80 UHLc 0 0 >> - 4 lo0 >> 10.255.255.6 link#2 UHLc 2 100 >> - 4 vic1 >> 127/8 127.0.0.1 UGRS 0 0 >> 33200 8 lo0 >> 127.0.0.1 127.0.0.1 UH 2 288 >> 33200 4 lo0 >> 192.168.120/24 link#1 UC 2 0 >> - 4 vic0 >> 192.168.120.1 00:50:56:c0:00:01 UHLc 0 24 >> - 4 vic0 >> 192.168.120.130 127.0.0.1 UGHS 0 0 >> 33200 8 lo0 >> 192.168.120.254 00:50:56:e0:b4:04 UHLc 1 25 >> - 4 vic0 >> 224/4 127.0.0.1 URS 0 0 >> 33200 8 lo0 >> >> Internet6: >> <cruft> >> >> Encap: >> Source Port Destination Port Proto >> SA(Address/Proto/Type/Direction) >> 192.168.33/24 0 192.168.120/24 0 0 >> 10.255.255.6/esp/use/in >> 192.168.120/24 0 192.168.33/24 0 0 >> 10.255.255.6/esp/require/out >> obsd-ipsec-left# ping 192.168.33.7 >> PING 192.168.33.7 (192.168.33.7): 56 data bytes >> ping: sendto: No route to host >> ping: wrote 192.168.33.7 64 chars, ret=-1 >> --- 192.168.33.7 ping statistics --- >> 1 packets transmitted, 0 packets received, 100.0% packet loss >> >> I tried setting up a static route pointing at the networks on >> either side, but these seem to pass unencrypted - when I >> listen on enc0, nothing appears. I even tried using the >> pf.conf file listed in that file (while making changes to >> suit my configuration)... no dice. >> >> Any ideas? I'm already using a PSK and tried using PKI, but >> only one side seemed to be encrypted. >> >> Thanks >> >> -- >> Aaron Mason - Programmer, open source addict >> I've taken my software vows - for beta or for worse >> >> > > I did not follow the complete thread. I'd just like to mention that I > regularly get trapped with 'no route to host' when I set up new ipsec tunnels. > In most cases I forgot to fix pf.conf for the new tunnel. Do you use pf? > > Regards > Christoph > >
Apologies for the delay, for some reason your message got marked as spam by GMail. Yeah, I followed the entire guide that I linked to. I'm not sure if I have set up the pf.conf files or the isakmpd.conf files backwards or what, I'll have to look into it. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
