Hello @misc: I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. However, I would like the remote site to route all of its traffic through the VPN. After googling, I seemed to come up with a suggestion to do a route change -net 0.0.0.0/0 <gateway> which didn't work well. I think it might have to do with NAT. The main office is doing the NAT. Perhaps I need to some sort of NAT traversal on the VPN??
Here is my setup: --Main Office-- cat /etc/ipsec.conf: me="A.B.C.D" mypeer="E.F.G.H" mypsk="mypsk" ike passive esp from $me to $mypeer peer $mypeer \ main auth hmac-sha1 enc 3des group modp1024 \ srcid $me dstid $mypeer \ psk $mypsk cat /etc/hostname.gre0: inet 172.16.254.1 255.255.255.252 172.16.254.2 tunnel A.B.C.D E.F.G.H !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 cat /etc/pf.conf: set skip on {lo, gre0, enc0} anchor "ftp-proxy/*" block in log all pass out all antispoof for tun0 table <bruteforce> persist table <trustednets> {10.40.60.0/24, 10.40.65.0/24} match out on tun0 from <trustednets> to any nat-to (tun0) pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick proto tcp from localhost to any port {http,https} rdr-to 127.0.0.1 port 3128 pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) block log quick from <bruteforce> pass inet proto icmp all icmp-type {echoreq, unreach} pass in on tun0 inet proto tcp from any to any port ssh keep state (max-src-conn 6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to 10.40.60.1 pass on em0 from <trustednets> to any --Branch Office-- cat /etc/ipsec.conf: me="E.F.G.H" mypeer="A.B.C.D" mypsk="mypsk" ike esp from $me to $mypeer peer $mypeer \ main auth hmac-sha1 enc 3des group modp1024 \ srcid $me dstid $mypeer \ psk $mypsk cat /etc/hostname.gre0: inet 172.16.254.2 255.255.255.252 172.16.254.1 tunnel E.F.G.H A.B.C.D !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1 Firewall disabled for now - nothing other than sshd and isakmpd are running. Thanks, Matt