Hello, Thanks to both of you for your answer. However I'm really confused regarding where I should configure the OpenBSD ipsec gateway to use nat-t or not.
The only this I'm aware of is $ sysctl -a | grep udpencap net.inet.esp.udpencap=1 net.inet.esp.udpencap_port=4500 But it just states the kernel to support udp encapsulation for nat-t Fabio, in your configuration below I don't see anywhere you specified you wanted to use nat-t I'm going to try to test your configuration. ----- Mail original ----- > De : Mentesan <mente...@gmail.com> > @ : misc@openbsd.org > Cc : > Envoyi le : Lundi 14 Novembre 2011 13h00 > Objet : Re: OpenBSD ipsec gateway behind a router > > Hi :) > > I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 > (central > office) and 4.9 (branch office). > With the following setup I can bring the tunnel up, but the networks can't > talk to each other: > > Central ipsec.conf > ------------------------- > ike passive esp tunnel from 10.20.0.0/16 to any \ > srcid matriz.domain.com.br \ > psk testefilial > ------------ > > Branch ipsec.conf > ------------------------- > matriz_net = "10.20.0.0/16" > matriz_gw = "178.9.35.10" > filial_net = "10.10.11.0/24" > > ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw \ > srcid filial.domain.com.br \ > dstid matriz.domain.com.br \ > psk testefilial > ----------- > > # ipsecctl -sa > FLOWS: > flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid > matriz.gruponp.com.br dstid filial.gruponp.com.br type use > flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid > matriz.gruponp.com.br dstid filial.gruponp.com.br type require > > SAD: > esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth hmac-sha2-256 > enc aes > esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth hmac-sha2-256 > enc aes > > ----------- > > # route -n show -encap > Routing tables > > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > 10.10.11/24 0 10.20/16 0 0 > 185.53.27.23/esp/use/in > 10.20/16 0 10.10.11/24 0 0 > 185.53.27.23/esp/require/out > > > Fabio Almeida > > Em 13/11/2011, `s 12:06, Mik J escreveu: > >> Hello, >> >> I would like to know if such configuration is possible. >> >> LAN1 >> (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx > <--> Internet <--> > IPy >> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24) >> >> As you can see the OpenBSD 4.9 >> server sits on the LAN1 and has one physical interface. >> When it wants to >> access to the internet, its address 192.168.10.99 is natted in IPx and > that's >> how the IPSec_GW(Vendor) sees the source packets. >> >> It's not really important >> now if other machines on LAN1 should ping machines on LAN2. I would like > for >> now that the OpenBSD could ping machines on LAN2. >> >> I have search for examples >> on the internet for this particular case because the OpenBSD is behind a > nat >> router. And I haven't found the proper way to do this. I don't even > know if >> it's possible. I know some kind of nat-t should be used though. >> >> Does anyone >> have this configuration in place ? >> >> Thanks > > [demime 1.01d removed an attachment of type application/pgp-signature which had > a name of signature.asc]