Re: VPN Remote Services Connetivity

Mark Uemura Sat, 18 Jun 2005 00:52:35 -0700

> However, if I am on the the firewall machines themselves, I can ping
> machines on the remote end, but service connection fails.


Steve is right.  You have not setup flows in your isakmpd.conf to allow
for this.
 
> Are there additional rules I need to put into pf for this type of
> connectivity?  What am I missing?

Actually, it would be have been nice if you provided more information.
Setting up a VPN is not a trivial task.  Without your sanitized conf
files, you're making it harder for us to help you.  In this case, we're
able to infer what's wrong.

Your missing the following in your isakmpd.conf files:

- this is the isakmpd.conf for "B", the vpn-peer/firewall.  "B" is where
you are trying to ssh or ping host "a" that is behind vpn-peer/firewall "A".

- with the following additions, you will not need to add a static 
route in order to communicate with host "a" or "A" from "B".

- ensure that you edit the isakmpd.conf file on "A" respectively.

- I'm also assuming that your pf.conf files on both vpn-peers are not
blocking communication from "B" to "A" or "a".

Mark T. Uemura
OpenBSD Support Japan Inc.
www.openbsd-support.com

#############################################################################
# a [aaa.aaa.aaa.aaa] -  A [AAA.AAA.AAA.AAA] <---> [BBB.BBB.BBB.BBB] B
#############################################################################
# "A" and "B" are the respective Internet security gateways
# "a" is a host behind "A"

[General]
Retransmits=            5
Exchange-max-time=      120
Listen-on=              BBB.BBB.BBB.BBB

[Phase 1]
AAA.AAA.AAA.AAA=         ISAKMP-peer-A

[Phase 2]
Connections=            IPsec-A-B,IPsec-a-B

[ISAKMP-peer-A]
Phase=                  1
Local-address=          BBB.BBB.BBB.BBB
Address=                AAA.AAA.AAA.AAA
Configuration=          Default-main-mode
Authentication=         some_shared_secret

[IPsec-A-B]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-A
Configuration=          Default-quick-mode
Local-ID=               B
remote-ID=              A

[IPsec-a-B]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-A
Configuration=          Default-quick-mode
Local-ID=               B
remote-ID=              a

[B]
ID-type=                IPV4_ADDR
Address=                BBB.BBB.BBB.BBB

[A]
ID-type=                IPV4_ADDR
Address=                AAA.AAA.AAA.AAA

[a]
ID-type=                IPV4_ADDR
Address=                aaa.aaa.aaa.aaa

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES-MD5

[Default-main-mode-pre-shared]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES-MD5-pre-shared

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE

Re: VPN Remote Services Connetivity

Reply via email to