Re: [PF] IPSEC and PF/RDR rule
Hi,
I have problem on the same field. OpenBSD router with external ip is
redirecting traffic on the port 80:
# router (pf.conf)
rdr pass on ! lo inet proto tcp from any to (self) port = www -
172.16.0.53
but the 172.16.0.53 is connected to the router with ipsec(4):
# router (ipsec.conf)
ike passive esp tunnel \
from { \
172.16.0.0/16 \
192.168.1.0/24 \
192.168.2.0/24 \
192.168.3.0/24 \
} to any \
srcid my-openbsd-router.home.lan
# 172.16.0.53 (ipsec.conf)
ike dynamic esp tunnel \
from egress to 192.168.2.0/24 \
peer my-openbsd-router-external-ip dstid
my-openbsd-router.home.lan
ike dynamic esp tunnel \
from egress to 192.168.3.0/24 \
peer my-openbsd-router-external-ip dstid
my-openbsd-router.home.lan
When I'm in 192.168.2.0/24 network and my laptop has no ipsec configured
I still can reach external ip of my router and traffic is redirected to the
172.16.0.53 web server, but when I'm connecting from outside world I
cannot reach the web server. From my configuration files I can see that
shouldn't work, but I don't know how to alter my configuration to make
it work. Could someone shed some light on this for me please? Thanks.
# router
OpenBSD 4.4-current (GENERIC) #1050: Wed Sep 10 12:18:05 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
# web server
OpenBSD 4.4-current (GENERIC) #1643: Tue Dec 30 13:50:47 MST 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
--
best regards
q#
[PF] IPSEC and PF/RDR rule
Hello, I wish you an happpy new year. I have some trouble with my new Openbsd router. I installed the latest version 4.4. I compile the kernel with the RAID FRAME options. This router is running services for : - OSPF - PF - CARP - IPSEC/ISAKMPD/SASYNCD I have trouble with the IPSEC and PF services (rdr rules particularly). I have a VPN between two peers : A.B.C.D and E.F.G.H The peer A.B.C.D is running Openbsd 4.4 and E.F.G.H is running Feebsd 6.3. Behind this two peers, I have many networks. So, I use IPENCAP potocol to connect it. From the host x.x.x.x behind E.F.G.H, I would like to connect to the host y.y.y.y behind A.B.C.D. This working good. But when I try to redirect traffic from x.x.x.x to y.y.y.y toward z.z.z.z with a PF/rdr rule, this don't work. Following, the pf rule used on the peer A.B.C.D : rdr from any to y.y.y.y - z.z.z.z I also try this rules : rdr enc0 from any to y.y.y.y - z.z.z.z rdr nfe0 from any to y.y.y.y - z.z.z.z (where is nfe0 is a private interface used to route the traffic). With the same result . The traffic is not redirected. I can see on nfe0 the traffic from x.x.x.x to y.y.y.y instead of traffic from x.x.x.x to z.z.z.z. with the pfctl -s state, I can see state like this : nfe0 icmp x.x.x.x:31262 - y.y.y.y:31262 0:0 Before using this configuration on Openbsd 4.4, I used it on Freebsd 6.3. Everything is OK. I'm searching for any documentation on the WEB, without success for the moment. Maybe someone can help me here. Thank you.
