Hello,
I have an OpenBSD 4.3 acting as a gateway for my network, with two interfaces.
Everything works perfectly, except the routing/forwarding of IPSEC connections.
Something like this:
REMOTE LAN -> [REMOTE PEER] -> VPN TUNNEL -> [LOCAL PEER] -> INTERNAL NETWORK
My ipsec.conf is this:
ike esp from <local_peer> to <remote_peer> main auth hmac-sha1 \
enc 3des group modp1024 quick auth hmac-sha1 enc 3des group none \
psk "123456"
flow esp from <invalid_remote_network>/24 to <local_peer>/32 \
peer <remote_peer>
Just a snippet from my pf.conf:
rdr on $ext_if inet proto { tcp, udp } from any to $local_peer port \
{ 5990, 5991 } -> $internal_server
rdr on $enc_if inet proto { tcp, udp } from any to $local_peer port \
{ 5990, 5991 } -> $internal_server
pass in log quick on $enc_if proto ipencap all
pass out log quick on $enc_if proto ipencap all
pass in log quick on $ext_if proto esp all
pass out log quick on $ext_if proto esp all
pass in log quick on $ext_if inet proto udp from $remote_peer to \
$local_peer port 500 flags any keep state
pass out log quick on $ext_if inet proto udp from $local_peer to \
$remote_peer port 500 flags any keep state
pass in log quick on $enc_if inet proto tcp from $remote_int to \
$local_peer port { 5990, 5991, 5992 } flags any keep state
pass in log quick on $int_if inet proto tcp from { $local_peer, \
$internal_server } to $remote_int flags any keep state
When we try to connect from the IPSEC to <local_peer> everything works
perfectly. But I have to forward this connection to another server inside our
network (with an invalid) IP. As stated above, I am using a rdr rule, the
connection seems to hit our internal server, although it never gets established.
There is nothing being blocked, and I just can not figure out why the
connection is not forwarded properly.
Trying to connect to the same port (that is being forwarded to
$internal_server), outside the IPSEC works.
Seems like the IPSEC/VPN does not like these rdr rules.
Does anyone know anything about this? I am not sure if this is pf related, but
I am guessing I am screwing up with the rules.
Thanks a lot.
J T Davis
PS: I have tried to google something like this and had no success..
