Hello, Joosep, thank you for pointing out this incompatibility. I have made tests with Fabio and that was the problem.
Regarding the ipsec configuration behind nat routers it has been tested successfully between a 4.9 and a 4.4 openbsd with udp encapsulation and between a 4.9 openbsd and a fortigate (not behind nat). However I don't know about long term stability in those two cases. Regarding the configuration to adopt when the ipsec gateway is natted, I'm wondering if it's necessary to port forward udp 500 and 4500 pointing to the ipsec gateway on the LAN. I think yes if the two ipsec gateways are natted, and maybe if only one of them is natted. As for the configuration that I described below I have not tried to do a ping from LAN1 to LAN2 with the OpenBSD having only one interface. I will try to test it when I'll be able to. Something I'm still wondering is, how Openbsd knows that he's natted or not so that he should use udp 4500. I haven't seen anywhere in the configuration stating that I would use nat-t or not. Also, if two ipsec gateways are not natted but I want to force nat-t would that be possible ? Thanks ----- Mail original ----- > De : Joosep <joos...@gmail.com> > @ : misc@openbsd.org > Cc : > Envoyi le : Lundi 14 Novembre 2011 14h08 > Objet : Re: OpenBSD ipsec gateway behind a router > > On Mon, Nov 14, 2011 at 2:00 PM, Mentesan <mente...@gmail.com> wrote: > >> Hi :) >> >> I'm trying to do exactly this setup, between two OpenBSD boxes - 4.4 >> (central >> office) and 4.9 (branch office). >> With the following setup I can bring the tunnel up, but the networks > can't >> talk to each other: >> >> Central ipsec.conf >> ------------------------- >> ike passive esp tunnel from 10.20.0.0/16 to any \ >> srcid matriz.domain.com.br \ >> psk testefilial >> ------------ >> >> Branch ipsec.conf >> ------------------------- >> matriz_net = "10.20.0.0/16" >> matriz_gw = "178.9.35.10" >> filial_net = "10.10.11.0/24" >> >> ike dynamic esp tunnel from $filial_net to $matriz_net peer $matriz_gw > \ >> srcid filial.domain.com.br \ >> dstid matriz.domain.com.br \ >> psk testefilial >> ----------- >> >> # ipsecctl -sa >> FLOWS: >> flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid >> matriz.gruponp.com.br dstid filial.gruponp.com.br type use >> flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid >> matriz.gruponp.com.br dstid filial.gruponp.com.br type require >> >> SAD: >> esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth >> hmac-sha2-256 >> enc aes >> esp tunnel from 185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth >> hmac-sha2-256 >> enc aes >> >> ----------- >> >> # route -n show -encap >> Routing tables >> >> Encap: >> Source Port Destination Port Proto >> SA(Address/Proto/Type/Direction) >> 10.10.11/24 0 10.20/16 0 0 >> 185.53.27.23/esp/use/in >> 10.20/16 0 10.10.11/24 0 0 >> 185.53.27.23/esp/require/out >> >> >> Fabio Almeida >> >> Em 13/11/2011, `s 12:06, Mik J escreveu: >> >> > Hello, >> > >> > I would like to know if such configuration is possible. >> > >> > LAN1 >> > (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx > <--> Internet >> <--> >> IPy >> > IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24) >> > >> > As you can see the OpenBSD 4.9 >> > server sits on the LAN1 and has one physical interface. >> > When it wants to >> > access to the internet, its address 192.168.10.99 is natted in IPx and >> that's >> > how the IPSec_GW(Vendor) sees the source packets. >> > >> > It's not really important >> > now if other machines on LAN1 should ping machines on LAN2. I would > like >> for >> > now that the OpenBSD could ping machines on LAN2. >> > >> > I have search for examples >> > on the internet for this particular case because the OpenBSD is behind > a >> nat >> > router. And I haven't found the proper way to do this. I don't > even know >> if >> > it's possible. I know some kind of nat-t should be used though. >> > >> > Does anyone >> > have this configuration in place ? >> > >> > Thanks >> >> [demime 1.01d removed an attachment of type application/pgp-signature >> which had a name of signature.asc] >> >> > Hi! > > I think the problem in your case is HMAC-SHA2 incompatibility between > releases before 4.7 and 4.7(and upwards) releases. Please check this link > http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 > > regards, > Joosep