Hello,
Can anyone validate, or give some advice in this setup:
LAN (10.20/16) <----> OpenBSD (public fixed IP) <------> (public dynamic IP)
LAN ROUTER <-----> OpenBSD <-----> LAN (10.10.11/24)
There's a *need* to have that "LAN ROUTER" on the client side.
Let's call the first OpenBSD box "Server" and the other "Client".
The config I'm using is:
Server
---------
ike passive esp tunnel from 10.20.0.0/16 to any \
srcid matriz.gruponp.com.br \
psk testevpn
Client
--------
ike dynamic esp tunnel from 10.10.11.0/24 to 10.20.0.0/16 peer 187.8.53.34 \
srcid filial.gruponp.com.br \
dstid matriz.gruponp.com.br \
psk testevpn
--------
This config can bring the tunnel up, even the routes, but the networks can't
talk to each other.
Do I need to redirect ports on the client side (LAN ROUTER redirect ports 500,
4500 to OpenBSD)?
Is everything messed up and the tunnel is established by pure luck?
Thanks in advance,
Fabio Almeida
Em 14/11/2011, `s 14:25, Boris Goldberg escreveu:
> Hello Mik,
>
> Sunday, November 13, 2011, 8:06:32 AM, you wrote:
>
> MJ> I would like to know if such configuration is possible.
>
> MJ> LAN1
> MJ> (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx <--> Internet
<--> IPy
> MJ> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>
> MJ> As you can see the OpenBSD 4.9
> MJ> server sits on the LAN1 and has one physical interface.
> MJ> When it wants to
> MJ> access to the internet, its address 192.168.10.99 is natted in IPx and
that's
> MJ> how the IPSec_GW(Vendor) sees the source packets.
>
> MJ> It's not really important
> MJ> now if other machines on LAN1 should ping machines on LAN2. I would like
for
> MJ> now that the OpenBSD could ping machines on LAN2.
>
> MJ> I have search for examples
> MJ> on the internet for this particular case because the OpenBSD is behind a
nat
> MJ> router. And I haven't found the proper way to do this. I don't even know
if
> MJ> it's possible. I know some kind of nat-t should be used though.
>
> MJ> Does anyone
> MJ> have this configuration in place ?
>
> There are two problems in that configuration: IPSEC behind a NAT and one
> physical interface.
>
> IPSEC behind a NAT more often works than not. I have similar working
> configuration myself (but with two interfaces). Would recommend to use UDP
> encapsulation if the other side supports it.
>
> I would recommend to get a computer with 2 network interfaces. Otherwise
> it's going to be very complicated at best. /24 (on the left) is for sure
> not going to work.
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
