Hello!
I'm having troubles with IPsec, but I'm not really sure whether it's an
IPsec issue, a routing problem or just that I'm missing something big, very
big... So any help is more than welcome!
Here's the setup: PC_A is acting as a NAT gateway with three network cards.
sis0 goes to an ADSL modem, sis1 talks to the local internal network
(192.168.0.0/24).
I have another office on the other side of the road with its own network
(192.168.3.0/24 on rl0), gateway is 192.168.3.254 (PC_B). The rl1 card
(10.0.0.6) is connected to a WiFi client whis in turn is bridged to a WiFi AP
and finally to the sis2 card (10.0.0.1) on PC_A.
sis0 --- ADSL MODEM
|
*PC_A* sis2 --- AP <- WiFi -> AP --- rl1 *PC_B* rl0 --- Client1
|
sis1 --- 192.168.0.0/24 LAN
Perhaps you already see where I'm going: I need to secure the connection
between PC_A (on its 10.0.0.1 interface) and everything that's going to PC_B
and to the LAN behind it (192.168.3.254). No, I don't need to tunnel the two
subnets (192.168.0.0 and .3.0) together. They can live separated, as far as the
remote office LAN (.3.0) can access the server and access the Internet.
Both PC_A and PC_B are running on OpenBSD 3.7.
So, I boot up PC_B and manually add the default route (it's fresh out of an
install, so I still do it by hand):
# route add 0/0 10.0.0.1
# route show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 10.0.0.1 UGS 0 9 - rl1
10.0.0.0/29 link#2 UC 0 0 - rl1
10.0.0.1 00:09:5b:XX:XX:XX UHLc 0 5 - rl1
loopback localhost UGRS 0 0 33224 lo0
localhost localhost UH 0 0 33224 lo0
192.168.3/24 link#1 UC 0 0 - rl0
192.168.3.70 00:50:fc:XX:XX:XX UHLc 0 309 - rl0
BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0
PLEASE NOTE : I posted all configuration info at the end of the message
Next, Client1 can ping (obviously!) its default gateway (192.168.3.254), the
rl1 card (10.0.0.6), the machine on the other side of the road (10.0.0.1 and
192.168.0.254) and, of course, google.com. Yes, there are two separate NAT
rules (one for each internal network) and yes, PC_A has the routes to the
remote network 192.168.3.0/24.
So far, so good. Now I start isakmpd on both machines. This is what happens:
1) From Client1, I cannot ping its default gateway (.3.254) anymore. No ping
replies. ssh connection is frozen.
2) If I run a tcpdump -i rl1, I see that the pings from Client1 to PC_B are
*routed* to PC_A!! Of course, PC_A doesn't know what to do with them; something
is getting back, however (encrypted) :
# tcpdump -i rl1
17:54:15.803747 esp 10.0.0.6 > 10.0.0.1 spi 0x1F3A4307 seq 70 len 132 (DF)
17:54:15.810208 esp 10.0.0.1 > 10.0.0.6 spi 0x8A4C7C72 seq 58 len 132 (DF)
3) If Client1 pings 192.168.0.254 (on PC_A) or any other machine in PC_A's
internal subnet, I get replies (encrypted through the tunnel).
4) If Crrlient1 pings www.google.com, I get replies (encrypted).
5) If I ssh on PC_A (10.0.0.1) and from there ping 10.0.0.6, the pings are
unencrypted:
18:04:28.631809 10.0.0.1 > 10.0.0.6: icmp: echo request
18:04:28.631898 10.0.0.6 > 10.0.0.1: icmp: echo reply
But I guess this was to be expected according to the way I set up the tunnel.
6) Not all of PC_B 's traffic is going through the tunnel; for example, DNS
queries are still in clear:
tcpdump: listening on rl1, link-type EN10MB
18:09:53.547812 esp 10.0.0.6 > 10.0.0.1 spi 0x33FDCE18 seq 84 len 148 (DF) [tos
0x10]
18:09:53.555414 esp 10.0.0.1 > 10.0.0.6 spi 0xFB1721D2 seq 64 len 100 (DF) [tos
0x10]
18:09:53.557740 esp 10.0.0.1 > 10.0.0.6 spi 0xFB1721D2 seq 65 len 148 (DF) [tos
0x10]
18:09:53.558698 esp 10.0.0.6 > 10.0.0.1 spi 0x33FDCE18 seq 85 len 100 (DF) [tos
0x10]
18:09:54.135727 10.0.0.6.27192 > ns3.XXX.domain: 40783+ PTR?
1.0.0.10.in-addr.arpa. (39)
18:09:54.164014 esp 10.0.0.6 > 10.0.0.1 spi 0x33FDCE18 seq 86 len 148 (DF) [tos
0x10]
18:09:54.175462 esp 10.0.0.1 > 10.0.0.6 spi 0xFB1721D2 seq 66 len 148 (DF) [tos
0x10]
18:09:54.176541 esp 10.0.0.6 > 10.0.0.1 spi 0x33FDCE18 seq 87 len 100 (DF) [tos
0x10]
18:09:54.185555 esp 10.0.0.1 > 10.0.0.6 spi 0xFB1721D2 seq 67 len 180 (DF) [tos
0x10]
18:09:54.186064 10.0.0.1 > 10.0.0.6: icmp: echo request
18:09:54.186149 10.0.0.6 > 10.0.0.1: icmp: echo reply
18:09:54.186561 esp 10.0.0.6 > 10.0.0.1 spi 0x33FDCE18 seq 88 len 100 (DF) [tos
0x10]
18:09:54.189521 ns3.tin.it.domain > 10.0.0.6.27192: 40783 NXDomain* 0/1/0 (99)
18:09:54.191344 10.0.0.6.30665 > ns3.XXX.domain: 59489+ PTR?
6.0.0.10.in-addr.arpa. (39)
18:09:54.195008 esp 10.0.0.1 > 10.0.0.6 spi 0xFB1721D2 seq 68 len 196 (DF) [tos
0x10]
18:09:54.196155 esp 10.0.0.6 > 10.0.0.1 spi 0x33FDCE18 seq 89 len 100 (DF) [tos
0x10]
18:09:54.196301 esp 10.0.0.1 > 10.0.0.6 spi 0xFB1721D2 seq 69 len 212 (DF) [tos
0x10]
18:09:54.197352 esp 10.0.0.6 > 10.0.0.1 spi 0x33FDCE18 seq 90 len 100 (DF) [tos
0x10]
18:09:54.251462 ns3.tin.it.domain > 10.0.0.6.30665: 59489 NXDomain* 0/1/0 (99)
18:09:54.253751 10.0.0.6.46911 > ns3.XXX.domain: 38381+ PTR?
xxx.yyy.zzz.www.in-addr.arpa. (46)
7) The only way to talk to PC_B, either from its internal network
(192.168.3.0/24) or from PC_A, is by connecting (ssh, ping...) to its external
interface, 10.0.0.6!
8) If (from PC_B's tty console) I ping 192.168.3.254 I get no reply
But I can connect to the Internet, after all. Except that A) Traffic is not
encrypted B) I cannot ping the .3.254 gateway anymore (and therefore cannot
access the proxy server running on PC_B).
Even stranger: I kill the isakmpd processes on both machines, but traffic
still goes through encrypted. So I do an
# ipsecadm flush
and now the encrypted traffic (and encaps) dissappear.
But I still can't ping the 192.168.3.254 gateway from Client1!! Only after a
# route flush
I can now ping the gateway.
I am afraid I am doing something wrong here, but I am out of ideas...
* * * * DETAILS ON PC_A:
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:09:5b:XX:XX:XX
media: Ethernet autoselect (10baseT)
status: active
inet6 fe80::XXXXXXXXXX%sis0 prefixlen 64 scopeid 0x1
sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:09:5b:XX:XX:XX
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::XXXXXXXXXX%sis1 prefixlen 64 scopeid 0x2
sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:09:5b:XX:XX:XX
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::XXXXXXXXXX%sis2 prefixlen 64 scopeid 0x3
inet 10.0.0.1 netmask 0xfffffff8 broadcast 10.0.0.7
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1492
inet xxx.yyy.zzz.www --> 192.168.100.1 netmask 0xffffffff
0# route show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 192.168.100.1 UGS 0 6442587 - tun0
10.0.0.0/29 link#3 UC 0 0 - sis2
10.0.0.1 00:09:5b:XX:XX:XX UHLc 0 14 - lo0
10.0.0.6 00:48:54:XX:XX:XX UHLc 0 48980 - sis2
loopback localhost UGRS 0 0 33224 lo0
localhost localhost UH 0 88414 33224 lo0
192.168.0/24 link#2 UC 0 0 - sis1
192.168.0.37 00:00:e2:XX:XX:XX UHLc 0 2 - sis1
192.168.0.254 00:09:5b:XX:XX:XX UHLc 0 30 - lo0
192.168.3/24 10.0.0.6 UGS 0 31837 - sis2
192.168.100.1 xxx.yyy.zzz.www UH 0 14726 1492 tun0
BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0
* * * * Again, on PC_A, but when isakmpd is running...:
# route show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 192.168.100.1 UGS 0 6442980 - tun0
10.0.0.0/29 link#3 UC 0 0 - sis2
10.0.0.1 00:09:5b:XX:XX:XX UHLc 0 14 - lo0
10.0.0.6 00:48:54:XX:XX:XX UHLc 0 49738 - sis2
loopback localhost UGRS 0 0 33224 lo0
localhost localhost UH 0 88510 33224 lo0
192.168.0/24 link#2 UC 0 0 - sis1
192.168.0.37 00:00:e2:XX:XX:XX UHLc 0 2 - sis1
192.168.0.254 00:09:5b:XX:XX:XX UHLc 0 30 - lo0
192.168.3/24 10.0.0.6 UGS 0 31987 - sis2
192.168.3.70 10.0.0.6 UGHD 0 31987 1428 sis2
192.168.100.1 xxx.yyy.zzz.www UH 0 14783 1492 tun0
BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0
# netstat -r -f encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
192.168.3/24 0 0/0 0 0 10.0.0.6/50/use/in
0/0 0 192.168.3/24 0 0 10.0.0.6/50/require/out
# ipsecadm show
sadb_dump: satype esp vers 2 len 41 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x16025c46 auth hmac-sha1 enc aes
state larval replay 16 flags 4
lifetime_cur: alloc 0 bytes 103280 add 1124898166 first 1124898209
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
x_lifetime_lastuse: alloc 0 bytes 0 add 0 first 1124899222
address_src: 10.0.0.6
address_dst: 10.0.0.1
identity_src: type prefix id 0: 10.0.0.6/32
identity_dst: type prefix id 0: 10.0.0.1/32
key_auth: bits 160: 8284ea0XXXXX
key_encrypt: bits 128: 5556dd7XXXX
sadb_dump: satype esp vers 2 len 41 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x0ce24726 auth hmac-sha1 enc aes
state larval replay 16 flags 4
lifetime_cur: alloc 0 bytes 173792 add 1124898166 first 1124898209
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
x_lifetime_lastuse: alloc 0 bytes 0 add 0 first 1124899222
address_src: 10.0.0.1
address_dst: 10.0.0.6
identity_src: type prefix id 0: 10.0.0.1/32
identity_dst: type prefix id 0: 10.0.0.6/32
key_auth: bits 160: c8b0d249XXXX
key_encrypt: bits 128: d7352c05XXXX
sadb_dump: satype esp vers 2 len 37 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x37bcf897 auth hmac-sha1 enc aes
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1124898163 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 10.0.0.6
address_dst: 10.0.0.1
identity_src: type prefix id 0: 10.0.0.6/32
identity_dst: type prefix id 0: 10.0.0.1/32
key_auth: bits 160: 8bae84c0XXXX
key_encrypt: bits 128: ed58073XXXX
sadb_dump: satype esp vers 2 len 37 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x1f4ddfc1 auth hmac-sha1 enc aes
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1124898163 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 10.0.0.1
address_dst: 10.0.0.6
identity_src: type prefix id 0: 10.0.0.1/32
identity_dst: type prefix id 0: 10.0.0.6/32
key_auth: bits 160: 2c68c90XXXX
key_encrypt: bits 128: db900387XXXX
* * * * Details on PC_B
# route show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 10.0.0.1 UGS 0 9 - rl1
10.0.0.0/29 link#2 UC 0 0 - rl1
10.0.0.1 00:09:5b:XX:XX:XX UHLc 0 5 - rl1
loopback localhost UGRS 0 0 33224 lo0
localhost localhost UH 0 0 33224 lo0
192.168.3/24 link#1 UC 0 0 - rl0
192.168.3.70 00:50:fc:XX:XX:XX UHLc 0 309 - rl0
BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0
* * * * Details on PC_B when isakmpd is running:
# route show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 10.0.0.1 UGS 0 41 - rl1
10.0.0.0/29 link#2 UC 0 0 - rl1
10.0.0.1 00:09:5b:XX:XX:XX UHLc 0 483 - rl1
10.0.0.6 00:48:54:XX:XX:XX UHLc 0 4 - lo0
loopback localhost UGRS 0 0 33224 lo0
localhost localhost UH 0 0 33224 lo0
192.168.3/24 link#1 UC 0 0 - rl0
192.168.3.70 00:50:fc:XX:XX:XX UHLc 0 822 - L rl0
BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0
-- The only difference from the previous routing table is the entry for the
10.0.0.6 interface.
# netstat -r -f encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
0/0 0 192.168.3/24 0 0 10.0.0.1/50/use/in
192.168.3/24 0 0/0 0 0 10.0.0.1/50/require/out
# ipsecadm show
sadb_dump: satype esp vers 2 len 37 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x1f4ddfc1 auth hmac-sha1 enc aes
state larval replay 16 flags 4
lifetime_cur: alloc 0 bytes 0 add 1124896296 first 0
lifetime_soft: alloc 0 bytes 0 add 0 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 10.0.0.1
address_dst: 10.0.0.6
identity_src: type prefix id 0: 10.0.0.1/32
identity_dst: type prefix id 0: 10.0.0.6/32
key_auth: bits 160: 2c68c90XXXXXXXXXXxxxxxxxxx
key_encrypt: bits 128: db90038XXXXXXXXxxxxxxxx
sadb_dump: satype esp vers 2 len 41 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x16025c46 auth hmac-sha1 enc aes
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 91208 add 1124896299 first 1124896342
lifetime_soft: alloc 0 bytes 0 add 0 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
x_lifetime_lastuse: alloc 0 bytes 0 add 0 first 1124897359
address_src: 10.0.0.6
address_dst: 10.0.0.1
identity_src: type prefix id 0: 10.0.0.6/32
identity_dst: type prefix id 0: 10.0.0.1/32
key_auth: bits 160: 8284ea0ddXXXXXXXXXXXXXXXXXXXXXXXXXX
key_encrypt: bits 128: 5556dd7fXXXXXXXXXXXXXXXXXXXXXXXX
sadb_dump: satype esp vers 2 len 41 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x0ce24726 auth hmac-sha1 enc aes
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 183408 add 1124896299 first 1124896342
lifetime_soft: alloc 0 bytes 0 add 0 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
x_lifetime_lastuse: alloc 0 bytes 0 add 0 first 1124897359
address_src: 10.0.0.1
address_dst: 10.0.0.6
identity_src: type prefix id 0: 10.0.0.1/32
identity_dst: type prefix id 0: 10.0.0.6/32
key_auth: bits 160: c8b0d249XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
key_encrypt: bits 128: d7352c055XXXXXXXXXXXXXXXXXXXXXXXXXX
sadb_dump: satype esp vers 2 len 37 seq 0 pid 0
errno 8: Exec format error
sa: spi 0x37bcf897 auth hmac-sha1 enc aes
state larval replay 16 flags 4
lifetime_cur: alloc 0 bytes 0 add 1124896296 first 0
lifetime_soft: alloc 0 bytes 0 add 0 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 10.0.0.6
address_dst: 10.0.0.1
identity_src: type prefix id 0: 10.0.0.6/32
identity_dst: type prefix id 0: 10.0.0.1/32
key_auth: bits 160: 8bae84cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
key_encrypt: bits 128: ed58073XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
* NOTE: Anybody know what the errno 8: Exec format error means (second line
after sadb_sump)?
* * * * Finally, here are the isakmpd.conf files, for PC_A (East) and PC_B
(West):
# $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $
# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
# 192.168.3.0/24 - west [.6] - 10.0.0.0/29 - [.1] east - 0.0.0.0
# "west" and "east" are the respective security gateways (aka VPN-nodes).
[General]
Listen-on= 10.0.0.1
[Phase 1]
10.0.0.6= ISAKMP-peer-west
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Local-address= 10.0.0.1
Address= 10.0.0.6
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.3.0
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
* * * PC_B:
# $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $
# $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).
[General]
Listen-on= 10.0.0.6
[Phase 1]
10.0.0.1= ISAKMP-peer-east
[Phase 2]
Connections= IPsec-west-east
[ISAKMP-peer-east]
Phase= 1
Transport= udp
Local-address= 10.0.0.6
Address= 10.0.0.1
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[IPsec-west-east]
Phase= 2
ISAKMP-peer= ISAKMP-peer-east
Configuration= Default-quick-mode
Local-ID= Net-west
Remote-ID= Net-east
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.3.0
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
* * * And the isakmpd.policy file (it's the same on both PC_A and PC_B):
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
$OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
$EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes";
* * * Finally, the pf.conf file from PC_A:
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if = "tun0"
int_if = "sis1"
EXT_IF = "tun0"
INT_IF = "sis1"
LOCAL_LAN = "192.168.0.0/24"
scrub in all
scrub out all
nat on $EXT_IF from $LOCAL_LAN to any -> $EXT_IF
nat on $EXT_IF from 10.0.0.0/29 to any -> $EXT_IF
nat on $EXT_IF from 192.168.3.0/24 to any -> $EXT_IF
block in log quick inet6 all
block out log quick inet6 all
* On PC_B the packet filter isn't even enabled.
The NAt rule for 10.0.0.0/29 isn't needed. I just had it in there so I
could ping google and download stuff from PC_B while I set things up properly.
* * * * * * * * * * * * * * * * * * * * *
Final comments:
Please note that if I reconfigure the isakmpd.conf files in order to set up
a tunnel between 192.168.0.0/24 and 192.168.3.0/24 (simply a matter of
replacing the two lines that read Network= 0.0.0.0 and Netmask= 0.0.0.0),
everything works flawlessly. Or rather, all the traffic between the two
networks is encrypted, I can ping the 192.168.3.254 interface from the .3.0/24
network. But, of course, all other traffic (i.e. to the Internet) is not
encrypted.
I successfully used this setup in the past, but always connecting two
subnets (even tunnelling through the Internet). This time the setup is somewhat
different, however.
Also, I found the Network= 0.0.0.0 / Netmask= 0.0.0.0 on this page:
http://jcs.org/ipsec_wep
and kind of adjusted them to my setup (hoping it worked...). He was using a
different network configuration, however (the tunnel was between the gateway
and a client, not between two gateways).
Thanks in advance.
---
Rob Denzi
____________________________________________________________
6X velocizzare la tua navigazione a 56k? 6X Web Accelerator di Libero!
Scaricalo su INTERNET GRATIS 6X http://www.libero.it
