On Mon, Nov 14, 2011 at 2:00 PM, Mentesan <mente...@gmail.com> wrote:
> Hi :) > > I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 > (central > office) and 4.9 (branch office). > With the following setup I can bring the tunnel up, but the networks can't > talk to each other: > > Central ipsec.conf > ------------------------- > ike passive esp tunnel from 10.20.0.0/16 to any \ > srcid matriz.domain.com.br \ > psk testefilial > ------------ > > Branch ipsec.conf > ------------------------- > matriz_net = "10.20.0.0/16" > matriz_gw = "178.9.35.10" > filial_net = "10.10.11.0/24" > > ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \ > srcid filial.domain.com.br \ > dstid matriz.domain.com.br \ > psk testefilial > ----------- > > # ipsecctl -sa > FLOWS: > flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid > matriz.gruponp.com.br dstid filial.gruponp.com.br type use > flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid > matriz.gruponp.com.br dstid filial.gruponp.com.br type require > > SAD: > esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth > hmac-sha2-256 > enc aes > esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth > hmac-sha2-256 > enc aes > > ----------- > > # route -n show -encap > Routing tables > > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > 10.10.11/24 0 10.20/16 0 0 > 185.53.27.23/esp/use/in > 10.20/16 0 10.10.11/24 0 0 > 185.53.27.23/esp/require/out > > > Fabio Almeida > > Em 13/11/2011, `s 12:06, Mik J escreveu: > > > Hello, > > > > I would like to know if such configuration is possible. > > > > LAN1 > > (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet > <--> > IPy > > IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24) > > > > As you can see the OpenBSD 4.9 > > server sits on the LAN1 and has one physical interface. > > When it wants to > > access to the internet, its address 192.168.10.99 is natted in IPx and > that's > > how the IPSec_GW(Vendor) sees the source packets. > > > > It's not really important > > now if other machines on LAN1 should ping machines on LAN2. I would like > for > > now that the OpenBSD could ping machines on LAN2. > > > > I have search for examples > > on the internet for this particular case because the OpenBSD is behind a > nat > > router. And I haven't found the proper way to do this. I don't even know > if > > it's possible. I know some kind of nat-t should be used though. > > > > Does anyone > > have this configuration in place ? > > > > Thanks > > [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc] > > Hi! I think the problem in your case is HMAC-SHA2 incompatibility between releases before 4.7 and 4.7(and upwards) releases. Please check this link http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 regards, Joosep
