Hi
I have a "site to point" IPSec VPN. The "point" is an OpenBSD 4.8
server. Attached to the server is a network which I've allowed through
to the site following the section "OUTGOING NETWORK ADDRESS
TRANSLATION" in ipsec.conf(5).
That's great. However, now traffic originating from the OpenBSD server
destined for the site isn't getting through (as there's no flow). Is
there a way I can achieve this without changing anything on the remote
peer? I'd prefer not to create a pseudo device locally either.
Here's my config:
# ipsec.conf
ike esp from A.A.A.A (192.168.24.0/24) to 10.2.1.0/24 peer B.B.B.B \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk somepass
# pf.conf
match out on enc0 from 192.168.24.0/24 to 10.2.1.0/24 nat-to A.A.A.A
# ipsecctl -s all
FLOWS:
flow esp in from 10.2.1.0/24 to 192.168.24.0/24 peer B.B.B.B srcid
A.A.A.A/32 dstid B.B.B.B/32 type use
flow esp out from 192.168.24.0/24 to 10.2.1.0/24 peer B.B.B.B srcid
A.A.A.A/32 dstid B.B.B.B/32 type require
SAD:
esp tunnel from B.B.B.B to A.A.A.A spi 0x1f06aba1 auth hmac-sha1 enc 3des-cbc
esp tunnel from A.A.A.A to B.B.B.B spi 0x8aa6d59a auth hmac-sha1 enc 3des-cbc
BG
