I'm trying to do vpn ipsec with nat. (I can do fully some test @ work with have sdsl with 5 ip address)
To resume i want to do ipsec vpn between Site A (192.168.0.0/24) and Site B (192.168.0.0/24). They have same network address. So i ve done done with this good article : http://undeadly.org/cgi?action=artic...20090127205841 (from Mitja) Tunnel is monted but i can't connect to workstations. Can you help me ? Here is what i ve done : PC1----PF1----------------INTERNET---------------------PF2---PC2 PF1 : OpenBSD 4.6 rl0 : connected to sdsl, have an ip fixe (11.11.11.11), this interface is the egress. rl1 : our network, his ip address : 192.168.0.11 DNS : ISP There's only PF,isakmpd(-K), and ipsec services. No dhcp, no bind PF2 : OpenBSD 4.6 rl0 : connected to sdsl, have an ip fixe (22.22.22.22), this interface is the egress. rl1 : our network, his ip address : 192.168.0.12 There's only PF,isakmpd(-K), and ipsec services. No dhcp, no bind PC1 : XP PRO (workgroup) IP : 192.168.0.93/24 should be 192.168.1.93 using NAT Gateway : 192.168.0.11 DNS : ISP PC2 : XP PRO (workgroup) IP : 192.168.0.92/24 should be 192.168.2.92 using NAT Gateway : 192.168.0.12 DNS : ISP When i type on a PF machine (PF1 or PF2) : ipsecctl -sa, there's flow and sa. Tunnel is monted. I can verify it using tcpdump -i enc0 on PF1, type tracert 192.168.1.93 (using PC2). There's traffic encrypted ipsecctl -sa on PF2 : FLOWS: flow esp in from 192.168.1.0/24 to 192.168.0.0/24 peer 11.11.11.11 srcid 22.22.22.22/32 dstid 11.11.11.11/32 type use flow esp out from 192.168.0.0/24 to 192.168.1.0/24 peer 11.11.11.11 srcid 22.22.22.22/32 dstid 11.11.11.11/32 type require SAD: esp tunnel from 11.11.11.11 to 22.22.22.22 spi 0x14f92c81 auth hmac-sha1 enc aes-256 esp tunnel from 22.22.22.22 to 11.11.11.11 spi 0xb1b3d4a6 auth hmac-sha1 enc aes-256 Test i ve done : On machine PC1(192.168.0.93), i tryied ping PC2 using NAT 192.168.2.92 (doesn't work), i ve the following on the PF2 console using tcpdump -i enc0 : tcpdump: listening on enc0, link-type ENC 18:31:36.608877 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 > 192.168.2.92: icmp: echo request (encap) 18:31:41.818990 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 > 192.168.2.92: icmp: echo request (encap) 18:31:47.329048 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 > 192.168.2.92: icmp: echo request (encap) 18:31:52.846117 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 > 192.168.2.92: icmp: echo request (encap) ^C 4 packets received by filter 0 packets dropped by kernel Conclusion, something is missing, PF can't redirect packet to the machine. he doesnt know who is 192.168.1.93 (should be 192.168.0.93 in real) Have you an idea? On the document : http://undeadly.org/cgi?action=artic...20090127205841 He talks about need to use split dns to it works ? is it really necessary ? If yes how can i do that ? Can you help me ? See pf.conf, ipsec.conf : ipsec.conf (PF1): ike esp from 192.168.1.0/24 (192.168.0.0/24) to 192.168.2.0/24 \ peer 22.22.22.22 \ main auth hmac-sha1 enc aes-256 group modp1024 \ quick auth hmac-sha1 enc aes-256 group modp1024 \ psk "thisisanexample" ipsec.conf (PF2): ike esp from 192.168.2.0/24 (192.168.0.0/24) to 192.168.1.0/24 \ peer 11.11.11.11 \ main auth hmac-sha1 enc aes-256 group modp1024 \ quick auth hmac-sha1 enc aes-256 group modp1024 \ psk "thisisanexample" pf.conf (PF1) : me="11.11.11.11" distant="22.22.22.22" set skip on {loi enc0} set block-policy drop nat on egress from rl1:network to any -> egress binat on enc0 inet from 192.168.0.0/24 to 192.168.2.0/24 -> 192.168.1.0/24 block in log on egress pass in on egress inet proto udp from $distant to $me port 500 pass in on egress inet proto udp from $distant to $me port 4500 pass in on egress proto esp from $distant to $me pass out keep state pf.conf (PF2) : me="22.22.22.22" distant="11.11.11.11" set skip on {loi enc0} set block-policy drop nat on egress from rl1:network to any -> egress binat on enc0 inet from 192.168.0.0/24 to 192.168.1.0/24 -> 192.168.2.0/24 block in log on egress pass in on egress inet proto udp from $distant to $me port 500 pass in on egress inet proto udp from $distant to $me port 4500 pass in on egress proto esp from $distant to $me pass out keep state
