Yes it is "lo" for loopback, a keyboard error.
I can't do any modification because i'm not any more at work.
I will do changes Monday (GMT+4). I keep you inform, and of course thank
you very much for your help.
On Fri, 12 Mar 2010 16:54:50 +0100, Mitja MuE>eniD
/ Kerberos.si /
<mi...@kerberos.si> wrote:
> Just a quick reply because I was just going out - try to remove enc0 from
> the "set skip on {loi enc0}" line. If you skip enc0 then the binat rule
on
> enc0 won't work. Also, what is "loi"? You probably mean "lo".
>
> If this doesn't help I'll look at your config again later tonight.
>
>> -----Original Message-----
>> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
Of
>> open...@e-solutions.re
>> Sent: Friday, March 12, 2010 4:34 PM
>> To: misc@openbsd.org
>> Subject: Ipsec VPN and NAT
>>
>> I'm trying to do vpn ipsec with nat. (I can do fully some test @ work
>> with
>> have sdsl with 5 ip address)
>>
>> To resume i want to do ipsec vpn between Site A (192.168.0.0/24) and
Site
>> B
>> (192.168.0.0/24). They have same network address.
>> So i ve done done with this good article :
>> http://undeadly.org/cgi?action=artic...20090127205841 (from Mitja)
>> Tunnel is monted but i can't connect to workstations. Can you help me ?
>> Here is what i ve done :
>>
>> PC1----PF1----------------INTERNET---------------------PF2---PC2
>>
>> PF1 : OpenBSD 4.6
>> rl0 : connected to sdsl, have an ip fixe (11.11.11.11), this interface
is
>> the egress.
>> rl1 : our network, his ip address : 192.168.0.11
>> DNS : ISP
>> There's only PF,isakmpd(-K), and ipsec services. No dhcp, no bind
>>
>> PF2 : OpenBSD 4.6
>> rl0 : connected to sdsl, have an ip fixe (22.22.22.22), this interface
is
>> the egress.
>> rl1 : our network, his ip address : 192.168.0.12
>> There's only PF,isakmpd(-K), and ipsec services. No dhcp, no bind
>>
>> PC1 : XP PRO (workgroup)
>> IP : 192.168.0.93/24 should be 192.168.1.93 using NAT
>> Gateway : 192.168.0.11
>> DNS : ISP
>>
>> PC2 : XP PRO (workgroup)
>> IP : 192.168.0.92/24 should be 192.168.2.92 using NAT
>> Gateway : 192.168.0.12
>> DNS : ISP
>>
>> When i type on a PF machine (PF1 or PF2) : ipsecctl -sa, there's flow
and
>> sa.
>> Tunnel is monted. I can verify it using tcpdump -i enc0 on PF1, type
>> tracert 192.168.1.93 (using PC2). There's traffic encrypted
>>
>> ipsecctl -sa on PF2 :
>> FLOWS:
>> flow esp in from 192.168.1.0/24 to 192.168.0.0/24 peer 11.11.11.11 srcid
>> 22.22.22.22/32 dstid 11.11.11.11/32 type use
>> flow esp out from 192.168.0.0/24 to 192.168.1.0/24 peer 11.11.11.11
srcid
>> 22.22.22.22/32 dstid 11.11.11.11/32 type require
>> SAD:
>> esp tunnel from 11.11.11.11 to 22.22.22.22 spi 0x14f92c81 auth hmac-sha1
>> enc aes-256
>> esp tunnel from 22.22.22.22 to 11.11.11.11 spi 0xb1b3d4a6 auth hmac-sha1
>> enc aes-256
>>
>> Test i ve done :
>> On machine PC1(192.168.0.93), i tryied ping PC2 using NAT 192.168.2.92
>> (doesn't work), i ve the following on the PF2 console using tcpdump -i
>> enc0
>> :
>>
>> tcpdump: listening on enc0, link-type ENC
>> 18:31:36.608877 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 >
>> 192.168.2.92: icmp: echo request (encap)
>> 18:31:41.818990 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 >
>> 192.168.2.92: icmp: echo request (encap)
>> 18:31:47.329048 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 >
>> 192.168.2.92: icmp: echo request (encap)
>> 18:31:52.846117 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 >
>> 192.168.2.92: icmp: echo request (encap)
>> ^C
>> 4 packets received by filter
>> 0 packets dropped by kernel
>>
>> Conclusion, something is missing, PF can't redirect packet to the
>> machine.
>> he doesnt know who is 192.168.1.93 (should be 192.168.0.93 in real)
>> Have you an idea? On the document :
>> http://undeadly.org/cgi?action=artic...20090127205841 He talks about
need
>> to use split dns to it works ? is it really necessary ? If yes how can i
>> do
>> that ?
>> Can you help me ? See pf.conf, ipsec.conf :
>>
>> ipsec.conf (PF1):
>> ike esp from 192.168.1.0/24 (192.168.0.0/24) to 192.168.2.0/24 \
>> peer 22.22.22.22 \
>> main auth hmac-sha1 enc aes-256 group modp1024 \
>> quick auth hmac-sha1 enc aes-256 group modp1024 \
>> psk "thisisanexample"
>>
>> ipsec.conf (PF2):
>> ike esp from 192.168.2.0/24 (192.168.0.0/24) to 192.168.1.0/24 \
>> peer 11.11.11.11 \
>> main auth hmac-sha1 enc aes-256 group modp1024 \
>> quick auth hmac-sha1 enc aes-256 group modp1024 \
>> psk "thisisanexample"
>>
>> pf.conf (PF1) :
>> me="11.11.11.11"
>> distant="22.22.22.22"
>> set skip on {loi enc0}
>> set block-policy drop
>> nat on egress from rl1:network to any -> egress
>> binat on enc0 inet from 192.168.0.0/24 to 192.168.2.0/24 ->
>> 192.168.1.0/24
>> block in log on egress
>> pass in on egress inet proto udp from $distant to $me port 500
>> pass in on egress inet proto udp from $distant to $me port 4500
>> pass in on egress proto esp from $distant to $me
>> pass out keep state
>>
>> pf.conf (PF2) :
>> me="22.22.22.22"
>> distant="11.11.11.11"
>> set skip on {loi enc0}
>> set block-policy drop
>> nat on egress from rl1:network to any -> egress
>> binat on enc0 inet from 192.168.0.0/24 to 192.168.1.0/24 ->
>> 192.168.2.0/24
>> block in log on egress
>> pass in on egress inet proto udp from $distant to $me port 500
>> pass in on egress inet proto udp from $distant to $me port 4500
>> pass in on egress proto esp from $distant to $me
>> pass out keep state
