Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic through the
VPN. After googling, I seemed to come up with a suggestion to do a route
change
-net 0.0.0.0/0 <gateway> which didn't work well. I think it might have to do
with NAT. The main office is doing the NAT. Perhaps I need to some sort of
NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me="A.B.C.D"
mypeer="E.F.G.H"
mypsk="mypsk"
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor "ftp-proxy/*"
block in log all
pass out all
antispoof for tun0
table <bruteforce> persist
table <trustednets> {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from <trustednets> to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https} rdr-to
127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from <bruteforce>
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to 10.40.60.1
pass on em0 from <trustednets> to any
--Branch Office--
cat /etc/ipsec.conf:
me="E.F.G.H"
mypeer="A.B.C.D"
mypsk="mypsk"
ike esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
Firewall disabled for now - nothing other than sshd and isakmpd are running.
Thanks,
Matt
