On Wednesday 20 August 2008 09:37, you wrote:
> On Wed, Aug 20, 2008 at 09:06:29AM -0700, Jeff Simmons wrote:
> > On Wednesday 20 August 2008 08:03, you wrote:
> > > On Wed, Aug 20, 2008 at 07:02:28AM -0700, Jeff Simmons wrote:
> > > > Hello all.
> > > >
> > > > We have a OpenBSD firewall/vpn server with two external T1s. The
> > > > first T1 is our main Internet connection and is set as the default
> > > > gateway, the second is exclusively for VPNs. We are having trouble
> > > > routing the VPNs through the second T1.
> > > >
> > > > At present, the VPNs are all set up between the second address and
> > > > the remote address:
> > > >
> > > > ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr
> > > > ike passive esp from $T1-2_addr to $remote_gw_addr
> > > >
> > > > On the firewall, we have the following:
> > > >
> > > > pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto 50 from
> > > > any to $T1-2_addr keep state
> > > >
> > > > pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto udp from
> > > > any to $T1-2_addr port 500
> > > >
> > > > This seems to work, but can be fairly unstable, with two (of six) of
> > > > the VPN connections coming up and going down unpredictably. This may
> > > > have nothing to do with the pf ruleset, but I would still ask: is
> > > > there a better way to do this?
> > >
> > > Add a static route for $remote_gw_addr through the appropriate gateway?
> >
> > That works, but creates another problem. I simplified things in my first
> > post, we also have a DMZ hanging off the firewall that the remotes
> > contact occasionally. And since the VPNs are internal lan to internal
> > lan, we get asymetrical routing where contacts to the DMZ come in over
> > T1-1 but go back out over T1-2. I've tested it and it works, but it seems
> > sloppy to me. Just wondering if there's a better way.
>
> Not sure if it's "better", but you could nat the VPN traffic to your
> DMZ.
Heh. That works. But I sure pity the fool who has to take this over if I get
hit by the proverbial bus. ;-)
--
Jeff Simmons [EMAIL PROTECTED]
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult
