Dear all,
I'm linked to another LAN trough IPSEC. Everything is working except, if
I try to reach the remote LAN from my OpenBSD router.
In this case, the router use the default interface (wan) instead of the
IPSEC tunneling.
I would like to be able to reach the remote LAN due to a service on the
router that need to reach it
Please follow the log in attachment (schema-and-logs.txt +
ipsec-pf-route.txt)
Any idea ?
I already try to add a dirty route that's working, but create overhead
$ ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
36 bytes from 192.168.20.254: Redirect Host(New addr: 192.168.20.254)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 85ff 0 0000 40 01 4b56 192.168.20.2 192.168.10.1
Have a good day
Cheers,Aurelien
ipsec.conf
-----------------
ike esp from 192.168.20.0/24 to 192.168.10.0/24 peer x.x.x.1 \
main auth hmac-sha1 enc aes-128 \
quick auth hmac-sha1 enc aes-128 psk "*"
pf.conf
-----------------
# Network interfaces
internal_int = "vr0"
internal_ip = "192.168.20.254/24"
internal_net = "192.168.20.0/24"
external_int = "vr2"
external_ip = "x.x.x.2/24"
remote_pub=x.x.x.1
remote_net="192.168.10.0/24"
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# IPSEC
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Paquets esp sur l'interface outside
pass in on $external_int proto esp from $remote_pub to $external_int
pass out on $external_int proto esp from $external_int to $remote_pub
# Paquets isakmp sur l'interface outside
pass in on $external_int proto udp from $remote_pub to $external_int port
{isakmp, ipsec-nat-t}
pass out on $external_int proto udp from $external_int to $remote_pub port
{isakmp, ipsec-nat-t}
# Paquets sur l'interface enc0
pass in quick on enc0
pass out quick on enc0
pass out on $external_int from $internal_int:network to $remote_net
pass in on $external_int from $remote_net to $internal_int:network
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# NAT
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
pass out on $external_int from $internal_int:network to any nat-to
($external_int)
root@fw30 # route show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default provider-gate.254 UGS 311 211026 - 8 vr2
net-x-x-x-2.ftth link#3 UC 2 0 - 4 vr2
loopback localhost UGRS 0 0 33192 8 lo0
localhost localhost UH 2 0 33192 4 lo0
192.168.30/24 link#1 UC 4 0 - 4 vr0
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
192.168.10/24 0 192.168.20/24 0 0 x.x.x.2/esp/use/in
192.168.20/24 0 192.168.10/24 0 0 x.x.x.2/esp/require/out
SCHEMA + LOGS
------------------
+------+
| |
vr2 | | vr0
+-------------------+ +--------------> 192.168.10.0/24
| x.x.x.1| | *.254
| | |
v +------+
xxxxxxxxxx fw10
xINTERNETx
xxxxxxxxxx
^ +------+
| | |
| vr2 | | vr0
+-------------------+ +---------------> 192.168.20.0/24
x.x.x.2| | *.254
| |
+------+
fw20
fw20 -> outside
root@fw20 # ping google.fr
64 bytes from 173.194.40.159: icmp_seq=0 ttl=59 time=10.078 ms
root@fw20 # tcpdump -i vr2 icmp
12:20:52.970597 x-x-x-2.ftth.cust.kwaoo.net > par10s10-in-f31.1e100.net: icmp:
echo request
12:20:52.980543 par10s10-in-f31.1e100.net > x-x-x-2.ftth.cust.kwaoo.net: icmp:
echo reply
--------------------------------------------
With a basic ping from fw20, the the request use the default route and go
outside.
root@fw20 # ping 192.168.10.1
1 packets transmitted, 0 packets received, 100.0% packet loss
root@fw20 # tcpdump -i vr2 icmp
12:22:06.392515 x-x-x-2.ftth.cust.kwaoo.net > 192.168.10.1: icmp: echo request
---------------------------------------------
>>If I specify the interface of my "local" gateway to go through the IPSEC it's
>>working
root@fw30 # ping -I 192.168.20.254 192.168.10.1
64 bytes from 192.168.10.1: icmp_seq=0 ttl=63 time=44.827 ms
>>I didn't succeed to see the traffic with tcpdump (all interfaces tested)
----------------------------------------------
>>Ping working from a machine of my LAN 20.*
root@fw30 # tcpdump -i vr0 icmp
tcpdump: listening on vr0, link-type EN10MB
13:58:48.868053 192.168.20.2 > 192.168.10.1: icmp: echo request
13:58:48.912271 192.168.10.1 > 192.168.20.2: icmp: echo reply
