Hello,
Thanks to both of you for your answer.
However I'm really confused
regarding where I should configure the OpenBSD ipsec gateway to use nat-t or
not.
The only this I'm aware of is
$ sysctl -a | grep udpencap
net.inet.esp.udpencap=1
net.inet.esp.udpencap_port=4500
But it just states the
kernel to support udp encapsulation for nat-t
Fabio, in your configuration
below I don't see anywhere you specified you wanted to use nat-t
I'm going to
try to test your configuration.
----- Mail original -----
> De : Mentesan
<mente...@gmail.com>
> @ : misc@openbsd.org
> Cc :
> Envoyi le : Lundi 14
Novembre 2011 13h00
> Objet : Re: OpenBSD ipsec gateway behind a router
>
>
Hi :)
>
> I'm trying to do exactly this setup, between two OpenBSD boxes -
4.4
> (central
> office) and 4.9 (branch office).
> With the following setup
I can bring the tunnel up, but the networks can't
> talk to each other:
>
>
Central ipsec.conf
> -------------------------
> ike passive esp tunnel from
10.20.0.0/16 to any \
> srcid matriz.domain.com.br \
>
psk testefilial
> ------------
>
> Branch ipsec.conf
>
-------------------------
> matriz_net = "10.20.0.0/16"
> matriz_gw =
"178.9.35.10"
> filial_net = "10.10.11.0/24"
>
> ike dynamic esp tunnel from
$filial_net to $matriz_net peer $matriz_gw \
> srcid
filial.domain.com.br \
> dstid matriz.domain.com.br \
> psk
testefilial
> -----------
>
> # ipsecctl -sa
> FLOWS:
> flow esp in from
10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
> matriz.gruponp.com.br
dstid filial.gruponp.com.br type use
> flow esp out from 10.20.0.0/16 to
10.10.11.0/24 peer 185.53.27.23 srcid
> matriz.gruponp.com.br dstid
filial.gruponp.com.br type require
>
> SAD:
> esp tunnel from 178.9.35.10 to
185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256
> enc aes
> esp tunnel from
185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256
> enc aes
>
>
-----------
>
> # route -n show -encap
> Routing tables
>
> Encap:
> Source
Port Destination Port Proto
>
SA(Address/Proto/Type/Direction)
> 10.10.11/24 0 10.20/16
0 0
> 185.53.27.23/esp/use/in
> 10.20/16 0 10.10.11/24
0 0
> 185.53.27.23/esp/require/out
>
>
> Fabio Almeida
>
> Em
13/11/2011, `s 12:06, Mik J escreveu:
>
>> Hello,
>>
>> I would like to know
if such configuration is possible.
>>
>> LAN1
>> (192.168.10.0/24) <-->
OpenBSD .99 <--> .254 Router IPx
> <--> Internet <-->
> IPy
>> IPSec_GW
(Vendor) <--> LAN2 (192.168.20.0/24)
>>
>> As you can see the OpenBSD 4.9
>>
server sits on the LAN1 and has one physical interface.
>> When it wants to
>>
access to the internet, its address 192.168.10.99 is natted in IPx and
>
that's
>> how the IPSec_GW(Vendor) sees the source packets.
>>
>> It's not
really important
>> now if other machines on LAN1 should ping machines on
LAN2. I would like
> for
>> now that the OpenBSD could ping machines on LAN2.
>>
>> I have search for examples
>> on the internet for this particular case
because the OpenBSD is behind a
> nat
>> router. And I haven't found the
proper way to do this. I don't even
> know if
>> it's possible. I know some
kind of nat-t should be used though.
>>
>> Does anyone
>> have this
configuration in place ?
>>
>> Thanks
>
> [demime 1.01d removed an
attachment of type application/pgp-signature which had
> a name of
signature.asc]
