On Wed, Aug 20, 2008 at 07:02:28AM -0700, Jeff Simmons wrote: > Hello all. > > We have a OpenBSD firewall/vpn server with two external T1s. The first T1 is > our main Internet connection and is set as the default gateway, the second is > exclusively for VPNs. We are having trouble routing the VPNs through the > second T1. > > At present, the VPNs are all set up between the second address and the remote > address: > > ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr > ike passive esp from $T1-2_addr to $remote_gw_addr > > On the firewall, we have the following: > > pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto 50 from any to > $T1-2_addr keep state > > pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto udp from any to > $T1-2_addr port 500 > > This seems to work, but can be fairly unstable, with two (of six) of the VPN > connections coming up and going down unpredictably. This may have nothing to > do with the pf ruleset, but I would still ask: is there a better way to do > this?
Add a static route for $remote_gw_addr through the appropriate gateway? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
