Hello,
I configured an IPSec tunnel with ipssecctl and ipsec.conf.
The default interface of the gateway is 219.17.10.1.
The other gateway runs Checkpoint.
Here is a part of my ipsec.conf :
ike active esp from 192.168.36.0/24 to 10.128.203.0/24 \
peer 161.144.27.32 \
main auth hmac-md5 enc 3des group grp2 \
quick auth hmac-md5 enc 3des group none \
psk xxxxx
Last friday, I ran a ping every 5 seconds, from 192.168.36.254 to
10.128.203.1.
Ping was not replying, but tcpdump on enc0 was ok.
This morning, I looked at the enc0 interface :
# tcpdump -envps 1500 -i enc0 -l
10:35:15.920320 (authentic,confidential): SPI 0xa63e5fd1: 219.10.10.1 >
161.144.27.32: 219.10.10.1 > 10.128.203.1: icmp: echo request (id:b4e2
seq:47649) (ttl 63, id 34775, len 84) (ttl 64, id 30353, len 104, bad
cksum 0!)
Why does the source address of the ping has become the internet address
of the gateway ?
Part of my pf.conf :
int_if = "sis0"
ext_if = "sis2"
ext_addr = "219.10.10.1"
maint_net = 192.168.36.0/24"
ipsec_vpn_addr="161.144.27.32"
ipsec_remote_lan_net="10.128.203.0/24"
block in all
# Some other traffic than the IPsec one can reach the internet.
nat on $ext_if from $maint_net to any -> $ext_addr
# Traffic from internal network the the internet
pass in on $int_if inet from $maint_net to any keep state
# IPsec traffic from the other VPN gateway
pass in on $ext_if proto udp from $ipsec_vpn_addr port = isakmp \
to $ext_addr port {isakmp, ipsec-nat-t}
pass in on $int_if inet from $maint_net to $ipsec_remote_lan_net keep state
pass in on enc0 from $ipsec_remote_lan_net to $maint_net keep state
(if-bound)
pass out on enc0 from $maint_net to $ipsec_remote_lan_net keep state
(if-bound)
Thanks for your help.
