this should probably move to misc@; not pf-related, afaict. On Mon, Feb 13, 2006 at 07:29:17AM -0600, Travis H. wrote: > > Basically I've got a remote node that is directly attached to an > untrusted LAN (think metropolitan) and the firewall/gateway to the > internet/VPN peer are the same machine, also directly attached to the > LAN.
might just be my poor english, but does that mean that the remote node you have is the firewall/gateway/VPN peer, or that there is an untrusted LAN out there where you have some subnet A, and one host on that subnet is a node who is the remote VPN peer, and there is another node who is on subnet A who uses the remote VPN peer as its default gateway? > I tried setting up a network route to 0.0.0.0 mask 0.0.0.0 in > isakmpd.conf but it didn't seem to do what I wanted to. if you do that, it will make a flow with those network criteria. packets traversing the VPN machine on your side ( eg , if it is normally being used for ip.forwarding=1 ) can match that flow prior to a normal route lookup ( afaict ), but packets originating on the machine itself will only be checked against the flows after they go through normal route lookup. make sure to not cloud the understanding that isakmpd adds, or rather can add, encap flows, but does not alter the normal (inet/inet6) routing tables. or in short, from what i've seen in my uses, the following match-order: - traffic which originates on my VPN gateway: 1) netstat -rnf inet 2) netstat -rnf encap - traffic which originates behind it and will be forwarded through: 1) netstat -rnf encap 2) netstat -rnf inet hopefully i am not too inaccurate or misleading there. i don't doubt i'm missing some details, please don't call those guesses a religion. anyway, that was dealing mostly with the encap flows. so you're not looking to change the 'inet' default route on the VPN/gateway peer, but rather, you want a 0/0 as a destination for an encap flow that is present on the VPN/gateway peer? like: --- Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 172.16.1.8/32 0 0.0.0.0/0 0 0 18.100.128.63/50/use/in 0.0.0.0/0 0 172.16.1.8/32 0 0 18.100.128.63/50/require/out --- where 172.16.1.8 is the remote node that is behind this VPN peer, and 18.100.128.63 is the external IP of your local side this remote makes VPN connection to? (assumption is that the remote VPN peer would also have an IP in the 172.16.1.xxx subnet)? > > sudo route add > > Ugh, netstart should read a file in /etc/ for them or something. should? ... that might just be a difference in methodology between OS A and B. > Am I the only one who fiddles with /etc/netstart? you can put your route stuff right in hostname.if with !/sbin/route blahblah. i do that for the static routes i need to add, either in hostname.enc0 or wherever i find most intuitive. i don't fiddle with netstart at all. perhaps it is only the result of the fortune of my scenario being not too complex, but i get everything done with a few !s in hostname.if files.. -- jared [ openbsd 3.9-beta GENERIC ( jan 30 ) // i386 ]