> Hello,
>
> Joosep, thank you for pointing out this incompatibility. I have
made tests with
> Fabio and that was the problem.
>
> Regarding the ipsec
configuration behind nat routers it has been tested
> successfully between a
4.9 and a 4.4 openbsd with udp encapsulation and between
> a 4.9 openbsd and
a fortigate (not behind nat). However I don't know about
> long term
stability in those two cases.
> Regarding the configuration to adopt when the
ipsec gateway is natted, I'm
> wondering if it's necessary to port forward
udp 500 and 4500 pointing to the
> ipsec gateway on the LAN. I think yes if
the two ipsec gateways are natted, and
> maybe if only one of them is natted.
>
> As for the configuration that I described below I have not tried to do a
ping
> from LAN1 to LAN2 with the OpenBSD having only one interface. I will
try to test
> it when I'll be able to.
>
> Something I'm still wondering is,
how Openbsd knows that he's natted or
> not so that he should use udp 4500. I
haven't seen anywhere in the
> configuration stating that I would use nat-t
or not. Also, if two ipsec gateways
> are not natted but I want to force
nat-t would that be possible ?
>
>
> Thanks
>
>
>
> ----- Mail original
-----
>> De : Joosep <joos...@gmail.com>
>> @ : misc@openbsd.org
>> Cc :
>>
Envoyi le : Lundi 14 Novembre 2011 14h08
>> Objet : Re: OpenBSD ipsec gateway
behind a router
>>
>> On Mon, Nov 14, 2011 at 2:00 PM, Mentesan
<mente...@gmail.com> wrote:
>>
>>> Hi :)
>>>
>>> I'm trying to do
exactly this setup, between two OpenBSD boxes -
> 4.4
>>> (central
>>>
office) and 4.9 (branch office).
>>> With the following setup I can bring
the tunnel up, but the networks
>> can't
>>> talk to each other:
>>>
>>>
Central ipsec.conf
>>> -------------------------
>>> ike passive esp
tunnel from 10.20.0.0/16 to any \
>>> srcid
matriz.domain.com.br \
>>> psk testefilial
>>> ------------
>>>
>>> Branch ipsec.conf
>>> -------------------------
>>> matriz_net
= "10.20.0.0/16"
>>> matriz_gw = "178.9.35.10"
>>> filial_net =
"10.10.11.0/24"
>>>
>>> ike dynamic esp tunnel from $filial_net to
$matriz_net peer $matriz_gw
>
>> \
>>> srcid
filial.domain.com.br \
>>> dstid matriz.domain.com.br \
>>>
psk testefilial
>>> -----------
>>>
>>> # ipsecctl -sa
>>>
FLOWS:
>>> flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer
185.53.27.23 srcid
>>> matriz.gruponp.com.br dstid filial.gruponp.com.br
type use
>>> flow esp out from 10.20.0.0/16 to 10.10.11.0/24 peer
185.53.27.23
> srcid
>>> matriz.gruponp.com.br dstid filial.gruponp.com.br
type require
>>>
>>> SAD:
>>> esp tunnel from 178.9.35.10 to 185.53.27.23
spi 0x59f8b098 auth
>>> hmac-sha2-256
>>> enc aes
>>> esp tunnel from
185.53.27.23 to 178.9.35.10 spi 0xda08a9c3 auth
>>> hmac-sha2-256
>>> enc
aes
>>>
>>> -----------
>>>
>>> # route -n show -encap
>>> Routing
tables
>>>
>>> Encap:
>>> Source Port Destination
Port Proto
>>> SA(Address/Proto/Type/Direction)
>>> 10.10.11/24 0
10.20/16 0 0
>>> 185.53.27.23/esp/use/in
>>> 10.20/16
0 10.10.11/24 0 0
>>> 185.53.27.23/esp/require/out
>>>
>>>
>>> Fabio Almeida
>>>
>>> Em 13/11/2011, `s 12:06, Mik J escreveu:
>>>
>>> > Hello,
>>> >
>>> > I would like to know if such configuration
is possible.
>>> >
>>> > LAN1
>>> > (192.168.10.0/24) <--> OpenBSD .99
<--> .254 Router
> IPx
>> <--> Internet
>>> <-->
>>> IPy
>>> >
IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>>> >
>>> > As you can see
the OpenBSD 4.9
>>> > server sits on the LAN1 and has one physical
interface.
>>> > When it wants to
>>> > access to the internet, its
address 192.168.10.99 is natted in
> IPx and
>>> that's
>>> > how the
IPSec_GW(Vendor) sees the source packets.
>>> >
>>> > It's not really
important
>>> > now if other machines on LAN1 should ping machines on LAN2.
I
> would
>> like
>>> for
>>> > now that the OpenBSD could ping machines
on LAN2.
>>> >
>>> > I have search for examples
>>> > on the internet
for this particular case because the OpenBSD is
> behind
>> a
>>> nat
>>>
> router. And I haven't found the proper way to do this. I
> don't
>> even
know
>>> if
>>> > it's possible. I know some kind of nat-t should be used
> though.
>>> >
>>> > Does anyone
>>> > have this configuration in place
?
>>> >
>>> > Thanks
>>>
>>> [demime 1.01d removed an attachment of
type application/pgp-signature
>>> which had a name of signature.asc]
>>>
>>>
>> Hi!
>>
>> I think the problem in your case is HMAC-SHA2
incompatibility between
>> releases before 4.7 and 4.7(and upwards) releases.
Please check this link
>> http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
>>
>> regards,
>> Joosep