On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
> Hello @misc:
>
> I am up against a stumper. I have a Site-to-Site IPSEC VPN working
> beautifully.
> However, I would like the remote site to route all of its traffic through
> the
> VPN. After googling, I seemed to come up with a suggestion to do a route
> change
> -net 0.0.0.0/0 <gateway> which didn't work well. I think it might have to do
> with NAT. The main office is doing the NAT. Perhaps I need to some sort of
> NAT
> traversal on the VPN??
>
> Here is my setup:
>
> --Main Office--
> cat /etc/ipsec.conf:
> me="A.B.C.D"
> mypeer="E.F.G.H"
> mypsk="mypsk"
>
> ike passive esp from $me to $mypeer peer $mypeer \
> main auth hmac-sha1 enc 3des group modp1024 \
> srcid $me dstid $mypeer \
> psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.1 255.255.255.252 172.16.254.2
> tunnel A.B.C.D E.F.G.H
> !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
>
> cat /etc/pf.conf:
> set skip on {lo, gre0, enc0}
>
> anchor "ftp-proxy/*"
>
> block in log all
> pass out all
>
> antispoof for tun0
> table <bruteforce> persist
> table <trustednets> {10.40.60.0/24, 10.40.65.0/24}
>
> match out on tun0 from <trustednets> to any nat-to (tun0)
>
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick proto tcp from localhost to any port {http,https} rdr-to
> 127.0.0.1
> port 3128
> pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> block log quick from <bruteforce>
> pass inet proto icmp all icmp-type {echoreq, unreach}
> pass in on tun0 inet proto tcp from any to any port ssh keep state
> (max-src-conn
> 6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to
> 10.40.60.1
> pass on em0 from <trustednets> to any
>
>
> --Branch Office--
> cat /etc/ipsec.conf:
> me="E.F.G.H"
> mypeer="A.B.C.D"
> mypsk="mypsk"
>
> ike esp from $me to $mypeer peer $mypeer \
> main auth hmac-sha1 enc 3des group modp1024 \
> srcid $me dstid $mypeer \
> psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.2 255.255.255.252 172.16.254.1
> tunnel E.F.G.H A.B.C.D
> !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
>
> Firewall disabled for now - nothing other than sshd and isakmpd are running.
>
> Thanks,
> Matt
>
Matt
did you put on the branch router a route like
route add A.B.C.D <branch isp gateway> ?
beware that if you issue just route add default 172.16.254.1 then your
router will tend to also route the vpn traffic through your tunnel, so
you get a race condition.
claudiu.
--
Claudiu Pruna <[email protected]>
