Routing all traffic through IPSEC VPN

2011-04-20 Thread Matt S
Hello @misc

I seem to still be having some problems but I have made progress.  The branch 
office cannot get out to the internet at large which I think may be a NAT 
problem.  At least, when changing the default route on the branch office, I 
don't lose connectivity to it.  On the branch office, the routing tables don't 
display unless I use netstat -rn -f inet.  I also cannot traceroute.  Kindly 
advise what pf rules and additionaly static routing is appropriate.

--Main Office--
# The main office has a PPPoE connection to the internet
cat /etc/pf.conf:
pass all
match out on tun0 from 10.40.60.0 to any nat-to (tun0)

cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.255 172.16.254.2 link0 up
tunnel hq.valleybusinesssolutions.us vps.valleybusinesssolutions.us

route add -net 10.40.65.0/24 

netstat -r:
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
defaultphnx-dsl-gw55-247. UGS345750 - 8 tun0
10.40.60/24link#1 UC 10 - 4 em0
10.40.60.3 00:24:2c:07:d4:d0  UHLc   225728 - 4 em0
10.40.65/24172.16.254.2   UGS0  110 - 8 gif0
phnx-dsl-gw55-247. 71-223-156-37.phnx UH 18  1492 4 tun0
loopback   localhost  UGRS   00 33200 8 lo0
localhost  localhost  UH 00 33200 4 lo0
172.16.254.2   172.16.254.1  UH 1  68 - 4 gif0
BASE-ADDRESS.MCAST localhost  URS00 33200 8 lo0


--Branch Office--
# The branch office has a cable-based internet connection
cat /etc/pf.conf:
pass all
match out on em0 from 10.40.65.0 to any nat-to(em0)

cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.255 172.16.254.1 link0 up
tunnel vps.valleybusinesssolutions.us hq.valleybusinesssolutions.us

route add -host hq.valleybusinesssolutions.us 206.125.169.97 #206.125.169.97 is 
the ISP's gateway
route change default 172.16.254.1

netstat -rn -finet
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default172.16.254.1UGS0   98 - 8 gif0
10.40.65/24link#4UC 00 - 4 vether0
71.223.156.37  206.125.169.97 UGHS   0  201  - 8 em0
127/8  127.0.0.1  UGRS   00 33160 8 lo0
127.0.0.1  127.0.0.1  UH 12 33160 4 lo0
172.16.254.1   172.16.254.2   UH 2   91 - 4 gif0
206.125.169.96/29  link#1 UC 20  - 4 em0
206.125.169.97 00:0d:65:ab:c8:bf  UHLc   10 -4 em0
206.125.169.98 52:54:00:27:26:22  UHLc   00- 4 lo0
224/4  127.0.0.1  URS00 33160 8 lo0

Thank you again,
Matt



Re: Routing all traffic through IPSEC VPN

2011-04-19 Thread lilit-aibolit

Matt S P?P8QP5Q:

Hello @misc:

I am up against a stumper.  I have a Site-to-Site IPSEC VPN working beautifully. 
 However, I would like the remote site to route all of its traffic through the 
VPN.  After googling, I seemed to come up with a suggestion to do a route change 
-net 0.0.0.0/0  which didn't work well.  I think it might have to do 
with NAT.  The main office is doing the NAT.  Perhaps I need to some sort of NAT 
traversal on the VPN??



  

Hello.
Here is working config. I have two nets 15.0/24 and 16.0/24.
16.0/24 have default gateway to Internet.
between 15 and 16 setup IPSec.
from 15 for lucky boys I setup tunnel to any.
on router in 16 lucky boys go out with NAT.
===net 15.0=
ipsec.conf

remote_nets = "{ 192.168.16.0/24, 172.20.252.0/24}"
nat_clients = "{ 192.168.15.10, 192.168.15.167, 192.168.15.170 }"
flow esp from 192.168.15.0/24 to $remote_nets peer 192.168.10.1
flow esp from $nat_clients to any peer 192.168.10.1
esp from 192.168.10.2 to 192.168.10.1

ifconfig

rl0: flags=28843 mtu 1500
lladdr 00:02:44:56:39:04
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.15.6 netmask 0xff00 broadcast 192.168.15.255
vr0: flags=28843 mtu 1500
lladdr 00:13:d3:36:f5:ce
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.10.2 netmask 0xff00 broadcast 192.168.10.255

route -n show
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.10.1 UGS 5 5440 - 8 vr0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 4 33200 4 lo0
192.168.10/24 link#2 UC 1 0 - 4 vr0
192.168.10.1 00:d0:b7:60:5f:5c UHLc 3 1357436 - 4 vr0
192.168.15/24 link#1 UC 38 0 - 4 rl0
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
default 0 192.168.15.170/32 0 0 192.168.10.1/esp/require/in
192.168.15.170/32 0 default 0 0 192.168.10.1/esp/require/out
default 0 192.168.15.167/32 0 0 192.168.10.1/esp/require/in
192.168.15.167/32 0 default 0 0 192.168.10.1/esp/require/out
default 0 192.168.15.10/32 0 0 192.168.10.1/esp/require/in
192.168.15.10/32 0 default 0 0 192.168.10.1/esp/require/out
172.20.252/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in
192.168.15/24 0 172.20.252/24 0 0 192.168.10.1/esp/require/out
192.168.16/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in
192.168.15/24 0 192.168.16/24 0 0 192.168.10.1/esp/require/out

net 16=
local_nets = "{ 172.20.252.0/24, 192.168.16.0/24 }"
flow esp from $local_nets to 192.168.15.0/24 peer 192.168.10.2
flow esp from any to { 192.168.15.10, 192.168.15.167, 192.168.15.170 } 
peer 192.168.10.2

esp from 192.168.10.1 to 192.168.10.2

fxp0: flags=28843 mtu 1500
lladdr 00:d0:b7:60:75:51
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.16.6 netmask 0xff00 broadcast 192.168.16.255
fxp1: flags=28843 mtu 1500
lladdr 00:d0:b7:60:5f:5c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
fxp2: flags=8843 mtu 1500
lladdr 00:d0:b7:60:5d:9c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.20.252.36 netmask 0xfff8 broadcast 172.20.252.39
inet6 fe80::2d0:b7ff:fe60:5d9c%fxp2 prefixlen 64 scopeid 0x3
rl0: flags=8843 mtu 1500
lladdr 00:0d:88:45:68:aa
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.20.55 netmask 0xff00 broadcast 192.168.20.255

Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.16.8 UGS 6 14997670 - 8 fxp0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 11204 33200 4 lo0
172.20.252.32/29 link#3 UC 1 0 - 4 fxp2
172.20.252.38 00:03:7e:00:73:40 UHLc 0 4831569 - 4 fxp2
192.168.10/24 link#2 UC 2 0 - 4 fxp1
192.168.10.1 00:d0:b7:60:5f:5c UHLc 0 4 - 4 lo0
192.168.10.2 00:13:d3:36:f5:ce UHLc 15 102190836 - 4 fxp1
192.168.15/24 192.168.10.2 UGS 0 119979 - 8 fxp1
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
192.168.15.170/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.170/32 0 0 192.168.10.2/esp/require/out
192.168.15.167/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.167/32 0 0 192.168.10.2/esp/require/out
192.168.15.10/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.10/32 0 0 192.168.10.2/esp/require/out
192.168.15/24 0 192.168.16/24 0 0 192.168.10.2/esp/require/in
192.168.16/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out
192.168.15/24 0 172.20.252/24 0 0 192.168.10.2/esp/require/in
172.20.252/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out


host 192.168.16.8 doint NAT for lucky boys from 15.0/24:
tracert mail.ru
traceroute to mail.ru (94.100.191.204), 30 hops max, 40 byte packets
1 192.168.15.6 (192.168.15.6) 0.518 ms 0.475 ms 0.462 ms
2 192.168.10.1 (192.168.10.1) 3.331 ms 3.368 ms 3.357 ms
3 * * *
4 * * *
5 * * *
6 * *

Re: Routing all traffic through IPSEC VPN

2011-04-13 Thread Christiano F. Haesbaert
On Wed, Apr 13, 2011 at 02:53:29PM -0700, Matt S wrote:
> Thank you for all of the help.  I am effectively giving up on doing it this 
> way.  OpenVPN seems to have facilities to make it easier to achieve what I 
> want 
> to do.  I appreciate all of the time and effort spent.
> 
> 

There should be no difference in using OpenVPN or IPSEC, your problem is not
related to that. I'll try this again.

1. Make the VPN
2. Add a host route to the other-end external address through the local gateway.
3. Add the default gateway as the other-end VPN address.

So your tunnel will be able to reach the other side (the external host route).
Sorry but I'm a bit busy to understand your setup.

I'm sending you a script which does that.

> On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote:
> > Hi Claudiu:
> > 
> > 
> > Thank you for your reply.  I did try your suggestion to do a route add
> > A.B.C.D.E  and unfortunately it did not work so well.  I
> > lost connectivity to the branch altogether over the VPN.  At least I
> > have console access :)  Once I removed the route, I regained
> > connectivity over the vpn.  Perhaps, I can show you the routing
> > tables, if that will help?
> > 
> > 
> > Main
> > Internet:
> > DestinationGatewayFlags   Refs  Use   Mtu
> >  Prio Iface
> > default   phnx-dsl-gw55-247. UGS   19  1629401 -
> > 8 tun0
> > 10.40.60/24link#1 UC 20 -
> > 4 em0
> > 10.40.60.3 00:24:2c:07:d4:d0  UHLc   1 3217 -
> > 4 em0
> > 10.40.60.5 link#1 UHLc   1  847 -
> > 4 em0
> > 10.40.65/24172.16.254.2   UG 0   22 -
> >  32 gre0
> > phnx-dsl-gw55-247. 71-223-148-144.phn UH 1   12  1492
> > 4 tun0
> > loopback   localhost  UGRS   00 33200
> > 8 lo0
> > localhost   localhost  UH 0   60 33200
> > 4 lo0
> > 172.16.254.1/32172.16.254.2   UG 00 -
> >  32 gre0
> > 172.16.254.2   172.16.254.1   UH 2  157 -
> > 4 gre0
> > BASE-ADDRESS.MCAST localhost  URS00 33200
> > 8 lo0
> > 
> > 
> > Branch
> > DestinationGatewayFlags   Refs  Use   Mtu
> >  Prio Iface
> > default206.125.169.97 UGS311772 -
> > 8 em0
> > 10.40.60/24172.16.254.1   UG 1   50 -
> >  32 gre0
> > 10.40.65/24link#4 UC 10 -
> > 4 vether0
> > 10.40.65.1 fe:e1:ba:d0:da:7e  UHLc   04 -
> > 4 lo0
> > loopback   localhost  UGRS   00 33160
> > 8 lo0
> > localhost  localhost  UH 1   60 33160
> > 4 lo0
> > 172.16.254.1   172.16.254.2   UH 2   87 -
> > 4 gre0
> > 172.16.254.2/32172.16.254.1   UG 00 -
> >  32 gre0
> > 206.125.169.96/29  link#1 UC 20 -
> > 4 em0
> > 206.125.169.97 00:0d:65:ab:c8:bf  UHLc   10 -
> > 4 em0
> > matthew-schwartz.c 52:54:00:27:26:22  UHLc   00 -
> > 4 lo0
> > BASE-ADDRESS.MCAST localhost  URS00 33160
> > 8 lo0
> > 
> > 
> > 
> > On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
> > > Hello @misc:
> > > 
> > > I am up against a stumper.  I have a Site-to-Site IPSEC VPN working
> > beautifully. 
> > >  However, I would like the remote site to route all of its traffic
> > through the 
> > > VPN.  After googling, I seemed to come up with a suggestion to do a
> > route change 
> > > -net 0.0.0.0/0  which didn't work well.  I think it might
> > have to do 
> > > with NAT.  The main office is doing the NAT.  Perhaps I need to some
> > sort of NAT 
> > > traversal on the VPN??
> > > 
> > > Here is my setup:
> > > 
> > > --Main Office--
> > > cat /etc/ipsec.conf:
> > > me="A.B.C.D"
> > > mypeer="E.F.G.H"
> > > mypsk="mypsk"
> > > 
> > > ike passive esp from $me to $mypeer peer $mypeer \
> > >  main auth hmac-sha1 enc 3des group modp1024 \
> > >  srcid $me dstid $mypeer \
> > >  psk $mypsk
> > > 
> > > cat /etc/hostname.gre0:
> > > inet 172.16.254.1 255.255.255.252 172.16.254.2
> > > tunnel A.B.C.D E.F.G.H
> > > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
> > > 
> > > cat /etc/pf.conf:
> > > set skip on {lo, gre0, enc0}
> > > 
> > > anchor "ftp-proxy/*"
> > > 
> > > block in log all
> > > pass out all
> > > 
> > > antispoof for tun0
> > > table  persist
> > > table  {10.40.60.0/24, 10.40.65.0/24}
> > > 
> > > match out on tun0 from  to any nat-to (tun0)
> > > 
> > > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> > > pass in quick proto tcp from localhost to any port {http,https}
> > rdr-to 127.0.0.1 
> > > port 3128
> > > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> > > block log quick from 
> > > pass inet proto icmp all icmp-type {echoreq, unreach}
> > > pass in 

Re: Routing all traffic through IPSEC VPN

2011-04-13 Thread Matt S
Thank you for all of the help.  I am effectively giving up on doing it this 
way.  OpenVPN seems to have facilities to make it easier to achieve what I want 
to do.  I appreciate all of the time and effort spent.


On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote:
> Hi Claudiu:
> 
> 
> Thank you for your reply.  I did try your suggestion to do a route add
> A.B.C.D.E  and unfortunately it did not work so well.  I
> lost connectivity to the branch altogether over the VPN.  At least I
> have console access :)  Once I removed the route, I regained
> connectivity over the vpn.  Perhaps, I can show you the routing
> tables, if that will help?
> 
> 
> Main
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu
>  Prio Iface
> default   phnx-dsl-gw55-247. UGS   19  1629401 -
> 8 tun0
> 10.40.60/24link#1 UC 20 -
> 4 em0
> 10.40.60.3 00:24:2c:07:d4:d0  UHLc   1 3217 -
> 4 em0
> 10.40.60.5 link#1 UHLc   1  847 -
> 4 em0
> 10.40.65/24172.16.254.2   UG 0   22 -
>  32 gre0
> phnx-dsl-gw55-247. 71-223-148-144.phn UH 1   12  1492
> 4 tun0
> loopback   localhost  UGRS   00 33200
> 8 lo0
> localhost   localhost  UH 0   60 33200
> 4 lo0
> 172.16.254.1/32172.16.254.2   UG 00 -
>  32 gre0
> 172.16.254.2   172.16.254.1   UH 2  157 -
> 4 gre0
> BASE-ADDRESS.MCAST localhost  URS00 33200
> 8 lo0
> 
> 
> Branch
> DestinationGatewayFlags   Refs  Use   Mtu
>  Prio Iface
> default206.125.169.97 UGS311772 -
> 8 em0
> 10.40.60/24172.16.254.1   UG 1   50 -
>  32 gre0
> 10.40.65/24link#4 UC 10 -
> 4 vether0
> 10.40.65.1 fe:e1:ba:d0:da:7e  UHLc   04 -
> 4 lo0
> loopback   localhost  UGRS   00 33160
> 8 lo0
> localhost  localhost  UH 1   60 33160
> 4 lo0
> 172.16.254.1   172.16.254.2   UH 2   87 -
> 4 gre0
> 172.16.254.2/32172.16.254.1   UG 00 -
>  32 gre0
> 206.125.169.96/29  link#1 UC 20 -
> 4 em0
> 206.125.169.97 00:0d:65:ab:c8:bf  UHLc   10 -
> 4 em0
> matthew-schwartz.c 52:54:00:27:26:22  UHLc   00 -
> 4 lo0
> BASE-ADDRESS.MCAST localhost  URS00 33160
> 8 lo0
> 
> 
> 
> On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
> > Hello @misc:
> > 
> > I am up against a stumper.  I have a Site-to-Site IPSEC VPN working
> beautifully. 
> >  However, I would like the remote site to route all of its traffic
> through the 
> > VPN.  After googling, I seemed to come up with a suggestion to do a
> route change 
> > -net 0.0.0.0/0  which didn't work well.  I think it might
> have to do 
> > with NAT.  The main office is doing the NAT.  Perhaps I need to some
> sort of NAT 
> > traversal on the VPN??
> > 
> > Here is my setup:
> > 
> > --Main Office--
> > cat /etc/ipsec.conf:
> > me="A.B.C.D"
> > mypeer="E.F.G.H"
> > mypsk="mypsk"
> > 
> > ike passive esp from $me to $mypeer peer $mypeer \
> >  main auth hmac-sha1 enc 3des group modp1024 \
> >  srcid $me dstid $mypeer \
> >  psk $mypsk
> > 
> > cat /etc/hostname.gre0:
> > inet 172.16.254.1 255.255.255.252 172.16.254.2
> > tunnel A.B.C.D E.F.G.H
> > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
> > 
> > cat /etc/pf.conf:
> > set skip on {lo, gre0, enc0}
> > 
> > anchor "ftp-proxy/*"
> > 
> > block in log all
> > pass out all
> > 
> > antispoof for tun0
> > table  persist
> > table  {10.40.60.0/24, 10.40.65.0/24}
> > 
> > match out on tun0 from  to any nat-to (tun0)
> > 
> > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> > pass in quick proto tcp from localhost to any port {http,https}
> rdr-to 127.0.0.1 
> > port 3128
> > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> > block log quick from 
> > pass inet proto icmp all icmp-type {echoreq, unreach}
> > pass in on tun0 inet proto tcp from any to any port ssh keep state
> (max-src-conn 
> > 6, max-src-conn-rate 3/1, overload  flush global) rdr-to
> 10.40.60.1
> > pass on em0 from  to any
> > 
> > 
> > --Branch Office--
> > cat /etc/ipsec.conf:
> > me="E.F.G.H"
> > mypeer="A.B.C.D"
> > mypsk="mypsk"
> > 
> > ike esp from $me to $mypeer peer $mypeer \
> >  main auth hmac-sha1 enc 3des group modp1024 \
> >  srcid $me dstid $mypeer \
> >  psk $mypsk
> > 
> > cat /etc/hostname.gre0:
> > inet 172.16.254.2 255.255.255.252 172.16.254.1
> > tunnel E.F.G.H A.B.C.D
> > !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
> > 
> > Firewall disabled for now - nothing other than sshd and isakmpd are
> running.
> > 
> > Thanks,
> > Matt
> > 
> 
> Matt
> 
> did you put o

Re: Routing all traffic through IPSEC VPN

2011-04-13 Thread Claudiu Pruna
On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote:
> Hi Claudiu:
> 
> 
> Thank you for your reply.  I did try your suggestion to do a route add
> A.B.C.D.E  and unfortunately it did not work so well.  I
> lost connectivity to the branch altogether over the VPN.  At least I
> have console access :)  Once I removed the route, I regained
> connectivity over the vpn.  Perhaps, I can show you the routing
> tables, if that will help?
> 
> 
> Main
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu
>  Prio Iface
> default   phnx-dsl-gw55-247. UGS   19  1629401 -
> 8 tun0
> 10.40.60/24link#1 UC 20 -
> 4 em0
> 10.40.60.3 00:24:2c:07:d4:d0  UHLc   1 3217 -
> 4 em0
> 10.40.60.5 link#1 UHLc   1  847 -
> 4 em0
> 10.40.65/24172.16.254.2   UG 0   22 -
>  32 gre0
> phnx-dsl-gw55-247. 71-223-148-144.phn UH 1   12  1492
> 4 tun0
> loopback   localhost  UGRS   00 33200
> 8 lo0
> localhost   localhost  UH 0   60 33200
> 4 lo0
> 172.16.254.1/32172.16.254.2   UG 00 -
>  32 gre0
> 172.16.254.2   172.16.254.1   UH 2  157 -
> 4 gre0
> BASE-ADDRESS.MCAST localhost  URS00 33200
> 8 lo0
> 
> 
> Branch
> DestinationGatewayFlags   Refs  Use   Mtu
>  Prio Iface
> default206.125.169.97 UGS311772 -
> 8 em0
> 10.40.60/24172.16.254.1   UG 1   50 -
>  32 gre0
> 10.40.65/24link#4 UC 10 -
> 4 vether0
> 10.40.65.1 fe:e1:ba:d0:da:7e  UHLc   04 -
> 4 lo0
> loopback   localhost  UGRS   00 33160
> 8 lo0
> localhost  localhost  UH 1   60 33160
> 4 lo0
> 172.16.254.1   172.16.254.2   UH 2   87 -
> 4 gre0
> 172.16.254.2/32172.16.254.1   UG 00 -
>  32 gre0
> 206.125.169.96/29  link#1 UC 20 -
> 4 em0
> 206.125.169.97 00:0d:65:ab:c8:bf  UHLc   10 -
> 4 em0
> matthew-schwartz.c 52:54:00:27:26:22  UHLc   00 -
> 4 lo0
> BASE-ADDRESS.MCAST localhost  URS00 33160
> 8 lo0
> 
> 
> 
> On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
> > Hello @misc:
> > 
> > I am up against a stumper.  I have a Site-to-Site IPSEC VPN working
> beautifully. 
> >  However, I would like the remote site to route all of its traffic
> through the 
> > VPN.  After googling, I seemed to come up with a suggestion to do a
> route change 
> > -net 0.0.0.0/0  which didn't work well.  I think it might
> have to do 
> > with NAT.  The main office is doing the NAT.  Perhaps I need to some
> sort of NAT 
> > traversal on the VPN??
> > 
> > Here is my setup:
> > 
> > --Main Office--
> > cat /etc/ipsec.conf:
> > me="A.B.C.D"
> > mypeer="E.F.G.H"
> > mypsk="mypsk"
> > 
> > ike passive esp from $me to $mypeer peer $mypeer \
> >  main auth hmac-sha1 enc 3des group modp1024 \
> >  srcid $me dstid $mypeer \
> >  psk $mypsk
> > 
> > cat /etc/hostname.gre0:
> > inet 172.16.254.1 255.255.255.252 172.16.254.2
> > tunnel A.B.C.D E.F.G.H
> > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
> > 
> > cat /etc/pf.conf:
> > set skip on {lo, gre0, enc0}
> > 
> > anchor "ftp-proxy/*"
> > 
> > block in log all
> > pass out all
> > 
> > antispoof for tun0
> > table  persist
> > table  {10.40.60.0/24, 10.40.65.0/24}
> > 
> > match out on tun0 from  to any nat-to (tun0)
> > 
> > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> > pass in quick proto tcp from localhost to any port {http,https}
> rdr-to 127.0.0.1 
> > port 3128
> > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> > block log quick from 
> > pass inet proto icmp all icmp-type {echoreq, unreach}
> > pass in on tun0 inet proto tcp from any to any port ssh keep state
> (max-src-conn 
> > 6, max-src-conn-rate 3/1, overload  flush global) rdr-to
> 10.40.60.1
> > pass on em0 from  to any
> > 
> > 
> > --Branch Office--
> > cat /etc/ipsec.conf:
> > me="E.F.G.H"
> > mypeer="A.B.C.D"
> > mypsk="mypsk"
> > 
> > ike esp from $me to $mypeer peer $mypeer \
> >  main auth hmac-sha1 enc 3des group modp1024 \
> >  srcid $me dstid $mypeer \
> >  psk $mypsk
> > 
> > cat /etc/hostname.gre0:
> > inet 172.16.254.2 255.255.255.252 172.16.254.1
> > tunnel E.F.G.H A.B.C.D
> > !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
> > 
> > Firewall disabled for now - nothing other than sshd and isakmpd are
> running.
> > 
> > Thanks,
> > Matt
> > 
> 
> Matt
> 
> did you put on the branch router a route like 
> route add A.B.C.D  ?
> 
> beware that if you issue just route add default 172.16.254.1 then your
> router will tend to also route the vpn traffic through your tunnel, so
> you get

Re: Routing all traffic through IPSEC VPN

2011-04-13 Thread Matt S
Christiano:

Thanks for your help.  So, if I am understanding correctly, I need to create 
the 
following routes on the branch office router (OpenBSD):

route change -net 0.0.0.0/0 172.16.254.2  #I tried using 10.40.60.1 as the 
gateway and I got a network unreachable error
route add -host 172.16.254.2 A.B.C.D.E

My setup is using a GRE tunnel.  I have the GRE Tunnel endpoints configured on 
/30 subnet.  There might be a gap in my understanding.

Thank you again,
Matt


On 12 April 2011 23:53, Matt S  wrote:
> Hello @misc:
>
> I am up against a stumper.  I have a Site-to-Site IPSEC VPN working 
>beautifully.
>  However, I would like the remote site to route all of its traffic through the
> VPN.  After googling, I seemed to come up with a suggestion to do a route 
>change
> -net 0.0.0.0/0  which didn't work well.  I think it might have to do
> with NAT.  The main office is doing the NAT.  Perhaps I need to some sort of 
>NAT
> traversal on the VPN??
>
> Here is my setup:
>
> --Main Office--
> cat /etc/ipsec.conf:
> me="A.B.C.D"
> mypeer="E.F.G.H"
> mypsk="mypsk"
>
> ike passive esp from $me to $mypeer peer $mypeer \
>  main auth hmac-sha1 enc 3des group modp1024 \
>  srcid $me dstid $mypeer \
>  psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.1 255.255.255.252 172.16.254.2
> tunnel A.B.C.D E.F.G.H
> !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
>
> cat /etc/pf.conf:
> set skip on {lo, gre0, enc0}
>
> anchor "ftp-proxy/*"
>
> block in log all
> pass out all
>
> antispoof for tun0
> table  persist
> table  {10.40.60.0/24, 10.40.65.0/24}
>
> match out on tun0 from  to any nat-to (tun0)
>
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick proto tcp from localhost to any port {http,https} rdr-to 
>127.0.0.1
> port 3128
> pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> block log quick from 
> pass inet proto icmp all icmp-type {echoreq, unreach}
> pass in on tun0 inet proto tcp from any to any port ssh keep state 
>(max-src-conn
> 6, max-src-conn-rate 3/1, overload  flush global) rdr-to 
10.40.60.1
> pass on em0 from  to any
>
>
> --Branch Office--
> cat /etc/ipsec.conf:
> me="E.F.G.H"
> mypeer="A.B.C.D"
> mypsk="mypsk"
>
> ike esp from $me to $mypeer peer $mypeer \
>  main auth hmac-sha1 enc 3des group modp1024 \
>  srcid $me dstid $mypeer \
>  psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.2 255.255.255.252 172.16.254.1
> tunnel E.F.G.H A.B.C.D
> !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
>
> Firewall disabled for now - nothing other than sshd and isakmpd are running.
>
> Thanks,
> Matt
>
>

I do that with openvpn.
You need to add a default route to the other vpn end (so that every
traffic goes through the tunnel)
Then you add a host route to the external address of the other way via
the local gateway (so that the tunnel will work).
Since host routes have priority over network routes, this works fine.
You obviously need to nat the incoming traffic from the tunnel to the
outside world.



Re: Routing all traffic through IPSEC VPN

2011-04-13 Thread Christiano F. Haesbaert
On 12 April 2011 23:53, Matt S  wrote:
> Hello @misc:
>
> I am up against a stumper.  I have a Site-to-Site IPSEC VPN working
beautifully.
>  However, I would like the remote site to route all of its traffic through
the
> VPN.  After googling, I seemed to come up with a suggestion to do a route
change
> -net 0.0.0.0/0  which didn't work well.  I think it might have to
do
> with NAT.  The main office is doing the NAT.  Perhaps I need to some sort of
NAT
> traversal on the VPN??
>
> Here is my setup:
>
> --Main Office--
> cat /etc/ipsec.conf:
> me="A.B.C.D"
> mypeer="E.F.G.H"
> mypsk="mypsk"
>
> ike passive esp from $me to $mypeer peer $mypeer \
>  main auth hmac-sha1 enc 3des group modp1024 \
>  srcid $me dstid $mypeer \
>  psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.1 255.255.255.252 172.16.254.2
> tunnel A.B.C.D E.F.G.H
> !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
>
> cat /etc/pf.conf:
> set skip on {lo, gre0, enc0}
>
> anchor "ftp-proxy/*"
>
> block in log all
> pass out all
>
> antispoof for tun0
> table  persist
> table  {10.40.60.0/24, 10.40.65.0/24}
>
> match out on tun0 from  to any nat-to (tun0)
>
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick proto tcp from localhost to any port {http,https} rdr-to
127.0.0.1
> port 3128
> pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> block log quick from 
> pass inet proto icmp all icmp-type {echoreq, unreach}
> pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
> 6, max-src-conn-rate 3/1, overload  flush global) rdr-to
10.40.60.1
> pass on em0 from  to any
>
>
> --Branch Office--
> cat /etc/ipsec.conf:
> me="E.F.G.H"
> mypeer="A.B.C.D"
> mypsk="mypsk"
>
> ike esp from $me to $mypeer peer $mypeer \
>  main auth hmac-sha1 enc 3des group modp1024 \
>  srcid $me dstid $mypeer \
>  psk $mypsk
>
> cat /etc/hostname.gre0:
> inet 172.16.254.2 255.255.255.252 172.16.254.1
> tunnel E.F.G.H A.B.C.D
> !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
>
> Firewall disabled for now - nothing other than sshd and isakmpd are
running.
>
> Thanks,
> Matt
>
>

I do that with openvpn.
You need to add a default route to the other vpn end (so that every
traffic goes through the tunnel)
Then you add a host route to the external address of the other way via
the local gateway (so that the tunnel will work).
Since host routes have priority over network routes, this works fine.
You obviously need to nat the incoming traffic from the tunnel to the
outside world.



Re: Routing all traffic through IPSEC VPN

2011-04-13 Thread Matt S
Hi Claudiu:

Thank you for your reply.  I did try your suggestion to do a route add 
A.B.C.D.E 
 and unfortunately it did not work so well.  I lost connectivity 
to 
the branch altogether over the VPN.  At least I have console access :)  Once I 
removed the route, I regained connectivity over the vpn.  Perhaps, I can show 
you the routing tables, if that will help?

Main
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default   phnx-dsl-gw55-247. UGS   19  1629401 - 8 tun0
10.40.60/24link#1 UC 20 - 4 em0
10.40.60.3 00:24:2c:07:d4:d0  UHLc   1 3217 - 4 em0
10.40.60.5 link#1 UHLc   1  847 - 4 em0
10.40.65/24172.16.254.2   UG 0   22 -32 gre0
phnx-dsl-gw55-247. 71-223-148-144.phn UH 1   12  1492 4 tun0
loopback   localhost  UGRS   00 33200 8 lo0
localhost   localhost  UH 0   60 33200 4 lo0
172.16.254.1/32172.16.254.2   UG 00 -32 gre0
172.16.254.2   172.16.254.1   UH 2  157 - 4 gre0
BASE-ADDRESS.MCAST localhost  URS00 33200 8 lo0

Branch
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default206.125.169.97 UGS311772 - 8 em0
10.40.60/24172.16.254.1   UG 1   50 -32 gre0
10.40.65/24link#4 UC 10 - 4 vether0
10.40.65.1 fe:e1:ba:d0:da:7e  UHLc   04 - 4 lo0
loopback   localhost  UGRS   00 33160 8 lo0
localhost  localhost  UH 1   60 33160 4 lo0
172.16.254.1   172.16.254.2   UH 2   87 - 4 gre0
172.16.254.2/32172.16.254.1   UG 00 -32 gre0
206.125.169.96/29  link#1 UC 20 - 4 em0
206.125.169.97 00:0d:65:ab:c8:bf  UHLc   10 - 4 em0
matthew-schwartz.c 52:54:00:27:26:22  UHLc   00 - 4 lo0
BASE-ADDRESS.MCAST localhost  URS00 33160 8 lo0

On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
> Hello @misc:
> 
> I am up against a stumper.  I have a Site-to-Site IPSEC VPN working 
>beautifully. 
>
>  However, I would like the remote site to route all of its traffic through 
> the 

> VPN.  After googling, I seemed to come up with a suggestion to do a route 
>change 
>
> -net 0.0.0.0/0  which didn't work well.  I think it might have to do 
> with NAT.  The main office is doing the NAT.  Perhaps I need to some sort of 
>NAT 
>
> traversal on the VPN??
> 
> Here is my setup:
> 
> --Main Office--
> cat /etc/ipsec.conf:
> me="A.B.C.D"
> mypeer="E.F.G.H"
> mypsk="mypsk"
> 
> ike passive esp from $me to $mypeer peer $mypeer \
>   main auth hmac-sha1 enc 3des group modp1024 \
>   srcid $me dstid $mypeer \
>   psk $mypsk
> 
> cat /etc/hostname.gre0:
> inet 172.16.254.1 255.255.255.252 172.16.254.2
> tunnel A.B.C.D E.F.G.H
> !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
> 
> cat /etc/pf.conf:
> set skip on {lo, gre0, enc0}
> 
> anchor "ftp-proxy/*"
> 
> block in log all
> pass out all
> 
> antispoof for tun0
> table  persist
> table  {10.40.60.0/24, 10.40.65.0/24}
> 
> match out on tun0 from  to any nat-to (tun0)
> 
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick proto tcp from localhost to any port {http,https} rdr-to 
>127.0.0.1 
>
> port 3128
> pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> block log quick from 
> pass inet proto icmp all icmp-type {echoreq, unreach}
> pass in on tun0 inet proto tcp from any to any port ssh keep state 
>(max-src-conn 
>
> 6, max-src-conn-rate 3/1, overload  flush global) rdr-to 
10.40.60.1
> pass on em0 from  to any
> 
> 
> --Branch Office--
> cat /etc/ipsec.conf:
> me="E.F.G.H"
> mypeer="A.B.C.D"
> mypsk="mypsk"
> 
> ike esp from $me to $mypeer peer $mypeer \
>   main auth hmac-sha1 enc 3des group modp1024 \
>   srcid $me dstid $mypeer \
>   psk $mypsk
> 
> cat /etc/hostname.gre0:
> inet 172.16.254.2 255.255.255.252 172.16.254.1
> tunnel E.F.G.H A.B.C.D
> !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
> 
> Firewall disabled for now - nothing other than sshd and isakmpd are running.
> 
> Thanks,
> Matt
> 

Matt

did you put on the branch router a route like 
route add A.B.C.D  ?

beware that if you issue just route add default 172.16.254.1 then your
router will tend to also route the vpn traffic through your tunnel, so
you get a race condition.

claudiu.


-- 
Claudiu Pruna 



Re: Routing all traffic through IPSEC VPN

2011-04-13 Thread Claudiu Pruna
On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
> Hello @misc:
> 
> I am up against a stumper.  I have a Site-to-Site IPSEC VPN working 
> beautifully. 
>  However, I would like the remote site to route all of its traffic through 
> the 
> VPN.  After googling, I seemed to come up with a suggestion to do a route 
> change 
> -net 0.0.0.0/0  which didn't work well.  I think it might have to do 
> with NAT.  The main office is doing the NAT.  Perhaps I need to some sort of 
> NAT 
> traversal on the VPN??
> 
> Here is my setup:
> 
> --Main Office--
> cat /etc/ipsec.conf:
> me="A.B.C.D"
> mypeer="E.F.G.H"
> mypsk="mypsk"
> 
> ike passive esp from $me to $mypeer peer $mypeer \
>   main auth hmac-sha1 enc 3des group modp1024 \
>   srcid $me dstid $mypeer \
>   psk $mypsk
> 
> cat /etc/hostname.gre0:
> inet 172.16.254.1 255.255.255.252 172.16.254.2
> tunnel A.B.C.D E.F.G.H
> !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
> 
> cat /etc/pf.conf:
> set skip on {lo, gre0, enc0}
> 
> anchor "ftp-proxy/*"
> 
> block in log all
> pass out all
> 
> antispoof for tun0
> table  persist
> table  {10.40.60.0/24, 10.40.65.0/24}
> 
> match out on tun0 from  to any nat-to (tun0)
> 
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick proto tcp from localhost to any port {http,https} rdr-to 
> 127.0.0.1 
> port 3128
> pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
> block log quick from 
> pass inet proto icmp all icmp-type {echoreq, unreach}
> pass in on tun0 inet proto tcp from any to any port ssh keep state 
> (max-src-conn 
> 6, max-src-conn-rate 3/1, overload  flush global) rdr-to 
> 10.40.60.1
> pass on em0 from  to any
> 
> 
> --Branch Office--
> cat /etc/ipsec.conf:
> me="E.F.G.H"
> mypeer="A.B.C.D"
> mypsk="mypsk"
> 
> ike esp from $me to $mypeer peer $mypeer \
>   main auth hmac-sha1 enc 3des group modp1024 \
>   srcid $me dstid $mypeer \
>   psk $mypsk
> 
> cat /etc/hostname.gre0:
> inet 172.16.254.2 255.255.255.252 172.16.254.1
> tunnel E.F.G.H A.B.C.D
> !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
> 
> Firewall disabled for now - nothing other than sshd and isakmpd are running.
> 
> Thanks,
> Matt
> 

Matt

did you put on the branch router a route like 
route add A.B.C.D  ?

beware that if you issue just route add default 172.16.254.1 then your
router will tend to also route the vpn traffic through your tunnel, so
you get a race condition.

claudiu.


-- 
Claudiu Pruna 



Routing all traffic through IPSEC VPN

2011-04-12 Thread Matt S
Hello @misc:

I am up against a stumper.  I have a Site-to-Site IPSEC VPN working 
beautifully. 
 However, I would like the remote site to route all of its traffic through the 
VPN.  After googling, I seemed to come up with a suggestion to do a route 
change 
-net 0.0.0.0/0  which didn't work well.  I think it might have to do 
with NAT.  The main office is doing the NAT.  Perhaps I need to some sort of 
NAT 
traversal on the VPN??

Here is my setup:

--Main Office--
cat /etc/ipsec.conf:
me="A.B.C.D"
mypeer="E.F.G.H"
mypsk="mypsk"

ike passive esp from $me to $mypeer peer $mypeer \
  main auth hmac-sha1 enc 3des group modp1024 \
  srcid $me dstid $mypeer \
  psk $mypsk

cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2

cat /etc/pf.conf:
set skip on {lo, gre0, enc0}

anchor "ftp-proxy/*"

block in log all
pass out all

antispoof for tun0
table  persist
table  {10.40.60.0/24, 10.40.65.0/24}

match out on tun0 from  to any nat-to (tun0)

pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https} rdr-to 
127.0.0.1 
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from 
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state 
(max-src-conn 
6, max-src-conn-rate 3/1, overload  flush global) rdr-to 10.40.60.1
pass on em0 from  to any


--Branch Office--
cat /etc/ipsec.conf:
me="E.F.G.H"
mypeer="A.B.C.D"
mypsk="mypsk"

ike esp from $me to $mypeer peer $mypeer \
  main auth hmac-sha1 enc 3des group modp1024 \
  srcid $me dstid $mypeer \
  psk $mypsk

cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1

Firewall disabled for now - nothing other than sshd and isakmpd are running.

Thanks,
Matt