On Wed, Aug 20, 2008 at 09:06:29AM -0700, Jeff Simmons wrote: > On Wednesday 20 August 2008 08:03, you wrote: > > On Wed, Aug 20, 2008 at 07:02:28AM -0700, Jeff Simmons wrote: > > > Hello all. > > > > > > We have a OpenBSD firewall/vpn server with two external T1s. The first > > > T1 is our main Internet connection and is set as the default gateway, the > > > second is exclusively for VPNs. We are having trouble routing the VPNs > > > through the second T1. > > > > > > At present, the VPNs are all set up between the second address and the > > > remote address: > > > > > > ike passive esp from $lan_net to $remote_lan_net peer $remote_gw_addr > > > ike passive esp from $T1-2_addr to $remote_gw_addr > > > > > > On the firewall, we have the following: > > > > > > pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto 50 from any > > > to $T1-2_addr keep state > > > > > > pass in quick on $T1-2_if reply-to ($T1-2_if $T1-2_gw) proto udp from any > > > to $T1-2_addr port 500 > > > > > > This seems to work, but can be fairly unstable, with two (of six) of the > > > VPN connections coming up and going down unpredictably. This may have > > > nothing to do with the pf ruleset, but I would still ask: is there a > > > better way to do this? > > > > Add a static route for $remote_gw_addr through the appropriate gateway? > > That works, but creates another problem. I simplified things in my first > post, > we also have a DMZ hanging off the firewall that the remotes contact > occasionally. And since the VPNs are internal lan to internal lan, we get > asymetrical routing where contacts to the DMZ come in over T1-1 but go back > out over T1-2. I've tested it and it works, but it seems sloppy to me. Just > wondering if there's a better way.
Not sure if it's "better", but you could nat the VPN traffic to your DMZ. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
