Hi, In fact, there's no need to redirect ports, it's working even behind two nats:
Openbsd ---NAT OpenBSD ---NAT Router--<<<<>>>>--- OpenBSD Thanks Fabio Almeida Em 15/11/2011, `s 17:38, Mik J escreveu: > Hello, > > Joosep, thank you for pointing out this incompatibility. I have made > tests with Fabio and that was the problem. > > Regarding the ipsec configuration > behind nat routers it has been tested successfully between a 4.9 and a 4.4 > openbsd with udp encapsulation and between a 4.9 openbsd and a fortigate (not > behind nat). However I don't know about long term stability in those two > cases. > Regarding the configuration to adopt when the ipsec gateway is natted, > I'm wondering if it's necessary to port forward udp 500 and 4500 pointing to > the ipsec gateway on the LAN. I think yes if the two ipsec gateways are > natted, and maybe if only one of them is natted. > > As for the configuration > that I described below I have not tried to do a ping from LAN1 to LAN2 with > the OpenBSD having only one interface. I will try to test it when I'll be able > to. > > Something I'm still wondering is, how Openbsd knows that he's natted or > not so that he should use udp 4500. I haven't seen anywhere in the > configuration stating that I would use nat-t or not. Also, if two ipsec > gateways are not natted but I want to force nat-t would that be possible ? > Thanks > > > > ----- Mail original ----- >> De : Joosep <joos...@gmail.com> >> @ : > misc@openbsd.org >> Cc : >> Envoyi le : Lundi 14 Novembre 2011 14h08 >> Objet : > Re: OpenBSD ipsec gateway behind a router >> >> On Mon, Nov 14, 2011 at 2:00 > PM, Mentesan <mente...@gmail.com> wrote: >> >>> Hi :) >>> >>> I'm trying to do > exactly this setup, between two OpenBSD boxes - 4.4 >>> (central >>> office) > and 4.9 (branch office). >>> With the following setup I can bring the tunnel > up, but the networks >> can't >>> talk to each other: >>> >>> Central > ipsec.conf >>> ------------------------- >>> ike passive esp tunnel from > 10.20.0.0/16 to any \ >>> srcid matriz.domain.com.br \ >>> > psk testefilial >>> ------------ >>> >>> Branch ipsec.conf >>> > ------------------------- >>> matriz_net = "10.20.0.0/16" >>> matriz_gw = > "178.9.35.10" >>> filial_net = "10.10.11.0/24" >>> >>> ike dynamic esp tunnel > from $filial_net to $matriz_net peer $matriz_gw >> \ >>> srcid > filial.domain.com.br \ >>> dstid matriz.domain.com.br \ >>> > psk testefilial >>> ----------- >>> >>> # ipsecctl -sa >>> FLOWS: >>> flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid >>> > matriz.gruponp.com.br dstid filial.gruponp.com.br type use >>> flow esp out > from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid >>> > matriz.gruponp.com.br dstid filial.gruponp.com.br type require >>> >>> SAD: >>> > esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth >>> > hmac-sha2-256 >>> enc aes >>> esp tunnel from 185.53.27.23 to 178.9.35.10 spi > 0xda08a9c3 auth >>> hmac-sha2-256 >>> enc aes >>> >>> ----------- >>> >>> # > route -n show -encap >>> Routing tables >>> >>> Encap: >>> Source > Port Destination Port Proto >>> SA(Address/Proto/Type/Direction) >>> > 10.10.11/24 0 10.20/16 0 0 >>> > 185.53.27.23/esp/use/in >>> 10.20/16 0 10.10.11/24 0 > 0 >>> 185.53.27.23/esp/require/out >>> >>> >>> Fabio Almeida >>> >>> Em > 13/11/2011, `s 12:06, Mik J escreveu: >>> >>>> Hello, >>>> >>>> I would > like to know if such configuration is possible. >>>> >>>> LAN1 >>>> > (192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx >> <--> Internet >>> > <--> >>> IPy >>>> IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24) >>>> >>>> > As you can see the OpenBSD 4.9 >>>> server sits on the LAN1 and has one > physical interface. >>>> When it wants to >>>> access to the internet, its > address 192.168.10.99 is natted in IPx and >>> that's >>>> how the > IPSec_GW(Vendor) sees the source packets. >>>> >>>> It's not really > important >>>> now if other machines on LAN1 should ping machines on LAN2. I > would >> like >>> for >>>> now that the OpenBSD could ping machines on LAN2. >>>> >>>> I have search for examples >>>> on the internet for this > particular case because the OpenBSD is behind >> a >>> nat >>>> router. And I > haven't found the proper way to do this. I don't >> even know >>> if >>>> > it's possible. I know some kind of nat-t should be used though. >>>> >>>> > Does anyone >>>> have this configuration in place ? >>>> >>>> Thanks >>> >>> > [demime 1.01d removed an attachment of type application/pgp-signature >>> > which had a name of signature.asc] >>> >>> >> Hi! >> >> I think the problem in > your case is HMAC-SHA2 incompatibility between >> releases before 4.7 and > 4.7(and upwards) releases. Please check this link >> > http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 >> >> regards, >> Joosep [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
