Wesley,
You might have misunderstood me.
The ssh is going inside the ipsec vpn
tunnel which is between Openbsd and RemoteFW
Openbsd rl0 <- IPSec -> RemoteFW
<- LAN 2 -> SomeDevice
With this topology as a reminder
Openbsd rl0 <-> LAN1
-> Router <- Internet -> RemoteFW <- LAN 2 -> SomeDevice
>________________________________
> De : Wesley M. <open...@e-solutions.re>
>@ : Mik J <mikyde...@yahoo.fr>
>Cc : misc@openbsd.org
>Envoyi le : Vendredi
17 fivrier 2012 5h45
>Objet : Re: Re : vpn isakmpd ipsec, one side with only
one interface
>
>I know ssh works also very well. But the company has
requierements : ipsec
>vpn with specific phase 1 and 2...
>
>Wesley.
>
>On
Thu, 16 Feb 2012 19:18:09 +0000 (GMT), Mik J <mikyde...@yahoo.fr>
>wrote:
>>
Hello,
>>
>> I have this configuration working without any bridge.
>> Openbsd
rl0 <-
>> LAN1 -> Router <- Internet -> RemoteFW <- LAN 2 -> SomeDevice
>> My
PC is
>> connected to a LAN1 switch, and it's able to ssh SomeDevice. As you
can
>> see my
>> OpenBSD has just one interface and the VPN is mounted between
OpenBSD
>and
>> RemoteFW.
>>
>>
>>
>> ----- Mail original -----
>>> De :
Wesley M.
>> <open...@e-solutions.re>
>>> @ : Markus Wernig
<liste...@wernig.net>
>>> Cc :
>> misc@openbsd.org
>>> Envoyi le : Jeudi 16
fivrier 2012 15h59
>>> Objet : Re: vpn
>> isakmpd ipsec, one side with only
one interface
>>>
>>> I have it working ;-)
>>>
>> What i have done :
>>>
Create a vether0 with : inet 172.17.2.21 255.255.255.0
>>>
>> Create a
bridge0, add to it vether0 and the physical card...
>>> PF : filter the
>>
bridge
>>> Create the vpn, i can reach the ftp :-) Pretty cool
>>> Thank's to
>> vether !!
>>>
>>> Cheers,
>>>
>>> Wesley MOUEDINE ASSABY
>>>
>>>
>>> On
Thu, 16 Feb 2012
>> 14:03:54 +0100, Markus Wernig <liste...@wernig.net>
>>>
wrote:
>>>> Hi
>>>>
>>>>
>> I'm not sure if this will work, but you could
try creating a loopback
>>>>
>> interface (lo2) on FWC with the IP address
that the FTP server should be
>>>>
>> reachable on and then set up a regular
VPN between FWA and FWC just for
>>>>
>> that one IP address:
>>>> ike esp
from 172.17.2.21/32 to 192.168.0.0/24 peer
>> ip_fwA ...
>>>>
>>>> Then tell
the FTP server to listen on the IP of the lo2
>> interface
>>>>
(172.17.2.21?)
>>>>
>>>>
>>>> /m
>>>>
>>>> On 02/13/12 14:43, Wesley
>>
M. wrote:
>>>>> o;?Hi,
>>>>>
>>>>> I was using ipsec vpn between 2 OpenBSD
>> Gateway. It worked very
>>>>> well.
>>>>>
>>>>> Here :
>>>>>
>>>>>
>>
---rl0---[fwA]---rl1--------(internet)---------sis1---[fwB
>>>>> with
>>
ftpd]---sis0---
>>>>>
>>>>> Now we remove ftp services from fwB and put it
on
>> an
>>>>> other machine fwC with an internet connection (only one
network
>card).
>>> is
>>>>> it possible to keep a vpn online from fwA and
fwC, and so computersA
>>> can
>>>>> reach again ftp using vpn (provided by
fwC). Perhaps i need to use
>>> vether
>>>>> on fwC so briged pf ?
>>>>>
>>>>> Here the old ipsec.conf from
>> fwB:
>>>>> ike esp from
>>>>>
172.17.2.0/24 to 192.168.0.0/24 peer ip_fwA
>>>>>
>> main auth hmac-sha1
enc
>>>>> aes-256 group modp1024
>>>>> quick auth
>> hmac-sha1 enc aes-256
group modp1024
>>>>>
>>>>> psk "demopassword"
>>>>>
>>>>>
>> My idea on
fwC :
>>>>>
>>>>> add verther0 with : "inet
>>>>> 172.17.2.21
>>
255.255.255.0"
