Hello, I have this configuration working without any bridge. Openbsd rl0 <- LAN1 -> Router <- Internet -> RemoteFW <- LAN 2 -> SomeDevice My PC is connected to a LAN1 switch, and it's able to ssh SomeDevice. As you can see my OpenBSD has just one interface and the VPN is mounted between OpenBSD and RemoteFW.
----- Mail original ----- > De : Wesley M. <[email protected]> > @ : Markus Wernig <[email protected]> > Cc : [email protected] > Envoyi le : Jeudi 16 fivrier 2012 15h59 > Objet : Re: vpn isakmpd ipsec, one side with only one interface > > I have it working ;-) > What i have done : > Create a vether0 with : inet 172.17.2.21 255.255.255.0 > Create a bridge0, add to it vether0 and the physical card... > PF : filter the bridge > Create the vpn, i can reach the ftp :-) Pretty cool > Thank's to vether !! > > Cheers, > > Wesley MOUEDINE ASSABY > > > On Thu, 16 Feb 2012 14:03:54 +0100, Markus Wernig <[email protected]> > wrote: >> Hi >> >> I'm not sure if this will work, but you could try creating a loopback >> interface (lo2) on FWC with the IP address that the FTP server should be >> reachable on and then set up a regular VPN between FWA and FWC just for >> that one IP address: >> ike esp from 172.17.2.21/32 to 192.168.0.0/24 peer ip_fwA ... >> >> Then tell the FTP server to listen on the IP of the lo2 interface >> (172.17.2.21?) >> >> >> /m >> >> On 02/13/12 14:43, Wesley M. wrote: >>> o;?Hi, >>> >>> I was using ipsec vpn between 2 OpenBSD Gateway. It worked very >>> well. >>> >>> Here : >>> >>> ---rl0---[fwA]---rl1--------(internet)---------sis1---[fwB >>> with ftpd]---sis0--- >>> >>> Now we remove ftp services from fwB and put it on an >>> other machine fwC with an internet connection (only one network card). > is >>> it possible to keep a vpn online from fwA and fwC, and so computersA > can >>> reach again ftp using vpn (provided by fwC). Perhaps i need to use > vether >>> on fwC so briged pf ? >>> >>> Here the old ipsec.conf from fwB: >>> ike esp from >>> 172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA >>> main auth hmac-sha1 enc >>> aes-256 group modp1024 >>> quick auth hmac-sha1 enc aes-256 group modp1024 >>> >>> psk "demopassword" >>> >>> My idea on fwC : >>> >>> add verther0 with : "inet >>> 172.17.2.21 255.255.255.0"
