Hello all.
We have a OpenBSD firewall/vpn server with two external T1s. The first T1 is
our main Internet connection and is set as the default gateway, the second is
exclusively for VPNs. We are having trouble routing the VPNs through the
second T1.
At present, the VPNs are all set up between the second address and the remote
address:
ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr
ike passive esp from $T1-2_addr to $remote_gw_addr
On the firewall, we have the following:
pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto 50 from any to
$T1-2_addr keep state
pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto udp from any to
$T1-2_addr port 500
This seems to work, but can be fairly unstable, with two (of six) of the VPN
connections coming up and going down unpredictably. This may have nothing to
do with the pf ruleset, but I would still ask: is there a better way to do
this?
Thanks for any assistance.
--
Jeff Simmons [EMAIL PROTECTED]
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult
