On Wednesday 20 August 2008 08:03, you wrote:
> On Wed, Aug 20, 2008 at 07:02:28AM -0700, Jeff Simmons wrote:
> > Hello all.
> >
> > We have a OpenBSD firewall/vpn server with two external T1s. The first
> > T1 is our main Internet connection and is set as the default gateway, the
> > second is exclusively for VPNs. We are having trouble routing the VPNs
> > through the second T1.
> >
> > At present, the VPNs are all set up between the second address and the
> > remote address:
> >
> > ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr
> > ike passive esp from $T1-2_addr to $remote_gw_addr
> >
> > On the firewall, we have the following:
> >
> > pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto 50 from any
> > to $T1-2_addr keep state
> >
> > pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto udp from any
> > to $T1-2_addr port 500
> >
> > This seems to work, but can be fairly unstable, with two (of six) of the
> > VPN connections coming up and going down unpredictably. This may have
> > nothing to do with the pf ruleset, but I would still ask: is there a
> > better way to do this?
>
> Add a static route for $remote_gw_addr through the appropriate gateway?
That works, but creates another problem. I simplified things in my first post,
we also have a DMZ hanging off the firewall that the remotes contact
occasionally. And since the VPNs are internal lan to internal lan, we get
asymetrical routing where contacts to the DMZ come in over T1-1 but go back
out over T1-2. I've tested it and it works, but it seems sloppy to me. Just
wondering if there's a better way.
--
Jeff Simmons [EMAIL PROTECTED]
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult
