Routing all traffic through IPSEC VPN
Hello @misc I seem to still be having some problems but I have made progress. The branch office cannot get out to the internet at large which I think may be a NAT problem. At least, when changing the default route on the branch office, I don't lose connectivity to it. On the branch office, the routing tables don't display unless I use netstat -rn -f inet. I also cannot traceroute. Kindly advise what pf rules and additionaly static routing is appropriate. --Main Office-- # The main office has a PPPoE connection to the internet cat /etc/pf.conf: pass all match out on tun0 from 10.40.60.0 to any nat-to (tun0) cat /etc/hostname.gre0: inet 172.16.254.1 255.255.255.255 172.16.254.2 link0 up tunnel hq.valleybusinesssolutions.us vps.valleybusinesssolutions.us route add -net 10.40.65.0/24 netstat -r: Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultphnx-dsl-gw55-247. UGS345750 - 8 tun0 10.40.60/24link#1 UC 10 - 4 em0 10.40.60.3 00:24:2c:07:d4:d0 UHLc 225728 - 4 em0 10.40.65/24172.16.254.2 UGS0 110 - 8 gif0 phnx-dsl-gw55-247. 71-223-156-37.phnx UH 18 1492 4 tun0 loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 00 33200 4 lo0 172.16.254.2 172.16.254.1 UH 1 68 - 4 gif0 BASE-ADDRESS.MCAST localhost URS00 33200 8 lo0 --Branch Office-- # The branch office has a cable-based internet connection cat /etc/pf.conf: pass all match out on em0 from 10.40.65.0 to any nat-to(em0) cat /etc/hostname.gre0: inet 172.16.254.2 255.255.255.255 172.16.254.1 link0 up tunnel vps.valleybusinesssolutions.us hq.valleybusinesssolutions.us route add -host hq.valleybusinesssolutions.us 206.125.169.97 #206.125.169.97 is the ISP's gateway route change default 172.16.254.1 netstat -rn -finet DestinationGatewayFlags Refs Use Mtu Prio Iface default172.16.254.1UGS0 98 - 8 gif0 10.40.65/24link#4UC 00 - 4 vether0 71.223.156.37 206.125.169.97 UGHS 0 201 - 8 em0 127/8 127.0.0.1 UGRS 00 33160 8 lo0 127.0.0.1 127.0.0.1 UH 12 33160 4 lo0 172.16.254.1 172.16.254.2 UH 2 91 - 4 gif0 206.125.169.96/29 link#1 UC 20 - 4 em0 206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 -4 em0 206.125.169.98 52:54:00:27:26:22 UHLc 00- 4 lo0 224/4 127.0.0.1 URS00 33160 8 lo0 Thank you again, Matt
Re: Routing all traffic through IPSEC VPN
Matt S P?P8QP5Q:
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully.
However, I would like the remote site to route all of its traffic through the
VPN. After googling, I seemed to come up with a suggestion to do a route change
-net 0.0.0.0/0 gateway which didn't work well. I think it might have to do
with NAT. The main office is doing the NAT. Perhaps I need to some sort of NAT
traversal on the VPN??
Hello.
Here is working config. I have two nets 15.0/24 and 16.0/24.
16.0/24 have default gateway to Internet.
between 15 and 16 setup IPSec.
from 15 for lucky boys I setup tunnel to any.
on router in 16 lucky boys go out with NAT.
===net 15.0=
ipsec.conf
remote_nets = { 192.168.16.0/24, 172.20.252.0/24}
nat_clients = { 192.168.15.10, 192.168.15.167, 192.168.15.170 }
flow esp from 192.168.15.0/24 to $remote_nets peer 192.168.10.1
flow esp from $nat_clients to any peer 192.168.10.1
esp from 192.168.10.2 to 192.168.10.1
ifconfig
rl0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:02:44:56:39:04
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.15.6 netmask 0xff00 broadcast 192.168.15.255
vr0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:13:d3:36:f5:ce
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.10.2 netmask 0xff00 broadcast 192.168.10.255
route -n show
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.10.1 UGS 5 5440 - 8 vr0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 4 33200 4 lo0
192.168.10/24 link#2 UC 1 0 - 4 vr0
192.168.10.1 00:d0:b7:60:5f:5c UHLc 3 1357436 - 4 vr0
192.168.15/24 link#1 UC 38 0 - 4 rl0
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
default 0 192.168.15.170/32 0 0 192.168.10.1/esp/require/in
192.168.15.170/32 0 default 0 0 192.168.10.1/esp/require/out
default 0 192.168.15.167/32 0 0 192.168.10.1/esp/require/in
192.168.15.167/32 0 default 0 0 192.168.10.1/esp/require/out
default 0 192.168.15.10/32 0 0 192.168.10.1/esp/require/in
192.168.15.10/32 0 default 0 0 192.168.10.1/esp/require/out
172.20.252/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in
192.168.15/24 0 172.20.252/24 0 0 192.168.10.1/esp/require/out
192.168.16/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in
192.168.15/24 0 192.168.16/24 0 0 192.168.10.1/esp/require/out
net 16=
local_nets = { 172.20.252.0/24, 192.168.16.0/24 }
flow esp from $local_nets to 192.168.15.0/24 peer 192.168.10.2
flow esp from any to { 192.168.15.10, 192.168.15.167, 192.168.15.170 }
peer 192.168.10.2
esp from 192.168.10.1 to 192.168.10.2
fxp0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:d0:b7:60:75:51
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.16.6 netmask 0xff00 broadcast 192.168.16.255
fxp1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:d0:b7:60:5f:5c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
fxp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:d0:b7:60:5d:9c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.20.252.36 netmask 0xfff8 broadcast 172.20.252.39
inet6 fe80::2d0:b7ff:fe60:5d9c%fxp2 prefixlen 64 scopeid 0x3
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:88:45:68:aa
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.20.55 netmask 0xff00 broadcast 192.168.20.255
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.16.8 UGS 6 14997670 - 8 fxp0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 11204 33200 4 lo0
172.20.252.32/29 link#3 UC 1 0 - 4 fxp2
172.20.252.38 00:03:7e:00:73:40 UHLc 0 4831569 - 4 fxp2
192.168.10/24 link#2 UC 2 0 - 4 fxp1
192.168.10.1 00:d0:b7:60:5f:5c UHLc 0 4 - 4 lo0
192.168.10.2 00:13:d3:36:f5:ce UHLc 15 102190836 - 4 fxp1
192.168.15/24 192.168.10.2 UGS 0 119979 - 8 fxp1
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
192.168.15.170/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.170/32 0 0 192.168.10.2/esp/require/out
192.168.15.167/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.167/32 0 0 192.168.10.2/esp/require/out
192.168.15.10/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.10/32 0 0 192.168.10.2/esp/require/out
192.168.15/24 0 192.168.16/24 0 0 192.168.10.2/esp/require/in
192.168.16/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out
192.168.15/24 0 172.20.252/24 0 0 192.168.10.2/esp/require/in
172.20.252/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out
host 192.168.16.8 doint
Re: Routing all traffic through IPSEC VPN
On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic through
the
VPN. After googling, I seemed to come up with a suggestion to do a route
change
-net 0.0.0.0/0 gateway which didn't work well. I think it might have to do
with NAT. The main office is doing the NAT. Perhaps I need to some sort of
NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me=A.B.C.D
mypeer=E.F.G.H
mypsk=mypsk
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in log all
pass out all
antispoof for tun0
table bruteforce persist
table trustednets {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from trustednets to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https} rdr-to
127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from bruteforce
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload bruteforce flush global) rdr-to
10.40.60.1
pass on em0 from trustednets to any
--Branch Office--
cat /etc/ipsec.conf:
me=E.F.G.H
mypeer=A.B.C.D
mypsk=mypsk
ike esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
Firewall disabled for now - nothing other than sshd and isakmpd are running.
Thanks,
Matt
Matt
did you put on the branch router a route like
route add A.B.C.D branch isp gateway ?
beware that if you issue just route add default 172.16.254.1 then your
router will tend to also route the vpn traffic through your tunnel, so
you get a race condition.
claudiu.
--
Claudiu Pruna clau...@net-go.net
Re: Routing all traffic through IPSEC VPN
Hi Claudiu:
Thank you for your reply. I did try your suggestion to do a route add
A.B.C.D.E
isp gateway and unfortunately it did not work so well. I lost connectivity
to
the branch altogether over the VPN. At least I have console access :) Once I
removed the route, I regained connectivity over the vpn. Perhaps, I can show
you the routing tables, if that will help?
Main
Internet:
DestinationGatewayFlags Refs Use Mtu Prio Iface
default phnx-dsl-gw55-247. UGS 19 1629401 - 8 tun0
10.40.60/24link#1 UC 20 - 4 em0
10.40.60.3 00:24:2c:07:d4:d0 UHLc 1 3217 - 4 em0
10.40.60.5 link#1 UHLc 1 847 - 4 em0
10.40.65/24172.16.254.2 UG 0 22 -32 gre0
phnx-dsl-gw55-247. 71-223-148-144.phn UH 1 12 1492 4 tun0
loopback localhost UGRS 00 33200 8 lo0
localhost localhost UH 0 60 33200 4 lo0
172.16.254.1/32172.16.254.2 UG 00 -32 gre0
172.16.254.2 172.16.254.1 UH 2 157 - 4 gre0
BASE-ADDRESS.MCAST localhost URS00 33200 8 lo0
Branch
DestinationGatewayFlags Refs Use Mtu Prio Iface
default206.125.169.97 UGS311772 - 8 em0
10.40.60/24172.16.254.1 UG 1 50 -32 gre0
10.40.65/24link#4 UC 10 - 4 vether0
10.40.65.1 fe:e1:ba:d0:da:7e UHLc 04 - 4 lo0
loopback localhost UGRS 00 33160 8 lo0
localhost localhost UH 1 60 33160 4 lo0
172.16.254.1 172.16.254.2 UH 2 87 - 4 gre0
172.16.254.2/32172.16.254.1 UG 00 -32 gre0
206.125.169.96/29 link#1 UC 20 - 4 em0
206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 - 4 em0
matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 - 4 lo0
BASE-ADDRESS.MCAST localhost URS00 33160 8 lo0
On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic through
the
VPN. After googling, I seemed to come up with a suggestion to do a route
change
-net 0.0.0.0/0 gateway which didn't work well. I think it might have to do
with NAT. The main office is doing the NAT. Perhaps I need to some sort of
NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me=A.B.C.D
mypeer=E.F.G.H
mypsk=mypsk
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in log all
pass out all
antispoof for tun0
table bruteforce persist
table trustednets {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from trustednets to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https} rdr-to
127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from bruteforce
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload bruteforce flush global) rdr-to
10.40.60.1
pass on em0 from trustednets to any
--Branch Office--
cat /etc/ipsec.conf:
me=E.F.G.H
mypeer=A.B.C.D
mypsk=mypsk
ike esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
Firewall disabled for now - nothing other than sshd and isakmpd are running.
Thanks,
Matt
Matt
did you put on the branch router a route like
route add A.B.C.D branch isp gateway ?
beware that if you issue just route add default 172.16.254.1 then your
router will tend to also route the vpn traffic through your tunnel, so
you get a race condition.
claudiu.
--
Claudiu Pruna clau...@net-go.net
Re: Routing all traffic through IPSEC VPN
On 12 April 2011 23:53, Matt S maschwa...@yahoo.com wrote:
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic through
the
VPN. After googling, I seemed to come up with a suggestion to do a route
change
-net 0.0.0.0/0 gateway which didn't work well. I think it might have to
do
with NAT. The main office is doing the NAT. Perhaps I need to some sort of
NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me=A.B.C.D
mypeer=E.F.G.H
mypsk=mypsk
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in log all
pass out all
antispoof for tun0
table bruteforce persist
table trustednets {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from trustednets to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https} rdr-to
127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from bruteforce
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload bruteforce flush global) rdr-to
10.40.60.1
pass on em0 from trustednets to any
--Branch Office--
cat /etc/ipsec.conf:
me=E.F.G.H
mypeer=A.B.C.D
mypsk=mypsk
ike esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
Firewall disabled for now - nothing other than sshd and isakmpd are
running.
Thanks,
Matt
I do that with openvpn.
You need to add a default route to the other vpn end (so that every
traffic goes through the tunnel)
Then you add a host route to the external address of the other way via
the local gateway (so that the tunnel will work).
Since host routes have priority over network routes, this works fine.
You obviously need to nat the incoming traffic from the tunnel to the
outside world.
Re: Routing all traffic through IPSEC VPN
Christiano:
Thanks for your help. So, if I am understanding correctly, I need to create
the
following routes on the branch office router (OpenBSD):
route change -net 0.0.0.0/0 172.16.254.2 #I tried using 10.40.60.1 as the
gateway and I got a network unreachable error
route add -host 172.16.254.2 A.B.C.D.E
My setup is using a GRE tunnel. I have the GRE Tunnel endpoints configured on
/30 subnet. There might be a gap in my understanding.
Thank you again,
Matt
On 12 April 2011 23:53, Matt S maschwa...@yahoo.com wrote:
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic through the
VPN. After googling, I seemed to come up with a suggestion to do a route
change
-net 0.0.0.0/0 gateway which didn't work well. I think it might have to do
with NAT. The main office is doing the NAT. Perhaps I need to some sort of
NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me=A.B.C.D
mypeer=E.F.G.H
mypsk=mypsk
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in log all
pass out all
antispoof for tun0
table bruteforce persist
table trustednets {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from trustednets to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https} rdr-to
127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from bruteforce
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload bruteforce flush global) rdr-to
10.40.60.1
pass on em0 from trustednets to any
--Branch Office--
cat /etc/ipsec.conf:
me=E.F.G.H
mypeer=A.B.C.D
mypsk=mypsk
ike esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
Firewall disabled for now - nothing other than sshd and isakmpd are running.
Thanks,
Matt
I do that with openvpn.
You need to add a default route to the other vpn end (so that every
traffic goes through the tunnel)
Then you add a host route to the external address of the other way via
the local gateway (so that the tunnel will work).
Since host routes have priority over network routes, this works fine.
You obviously need to nat the incoming traffic from the tunnel to the
outside world.
Re: Routing all traffic through IPSEC VPN
On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote:
Hi Claudiu:
Thank you for your reply. I did try your suggestion to do a route add
A.B.C.D.E isp gateway and unfortunately it did not work so well. I
lost connectivity to the branch altogether over the VPN. At least I
have console access :) Once I removed the route, I regained
connectivity over the vpn. Perhaps, I can show you the routing
tables, if that will help?
Main
Internet:
DestinationGatewayFlags Refs Use Mtu
Prio Iface
default phnx-dsl-gw55-247. UGS 19 1629401 -
8 tun0
10.40.60/24link#1 UC 20 -
4 em0
10.40.60.3 00:24:2c:07:d4:d0 UHLc 1 3217 -
4 em0
10.40.60.5 link#1 UHLc 1 847 -
4 em0
10.40.65/24172.16.254.2 UG 0 22 -
32 gre0
phnx-dsl-gw55-247. 71-223-148-144.phn UH 1 12 1492
4 tun0
loopback localhost UGRS 00 33200
8 lo0
localhost localhost UH 0 60 33200
4 lo0
172.16.254.1/32172.16.254.2 UG 00 -
32 gre0
172.16.254.2 172.16.254.1 UH 2 157 -
4 gre0
BASE-ADDRESS.MCAST localhost URS00 33200
8 lo0
Branch
DestinationGatewayFlags Refs Use Mtu
Prio Iface
default206.125.169.97 UGS311772 -
8 em0
10.40.60/24172.16.254.1 UG 1 50 -
32 gre0
10.40.65/24link#4 UC 10 -
4 vether0
10.40.65.1 fe:e1:ba:d0:da:7e UHLc 04 -
4 lo0
loopback localhost UGRS 00 33160
8 lo0
localhost localhost UH 1 60 33160
4 lo0
172.16.254.1 172.16.254.2 UH 2 87 -
4 gre0
172.16.254.2/32172.16.254.1 UG 00 -
32 gre0
206.125.169.96/29 link#1 UC 20 -
4 em0
206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 -
4 em0
matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 -
4 lo0
BASE-ADDRESS.MCAST localhost URS00 33160
8 lo0
On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic
through the
VPN. After googling, I seemed to come up with a suggestion to do a
route change
-net 0.0.0.0/0 gateway which didn't work well. I think it might
have to do
with NAT. The main office is doing the NAT. Perhaps I need to some
sort of NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me=A.B.C.D
mypeer=E.F.G.H
mypsk=mypsk
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in log all
pass out all
antispoof for tun0
table bruteforce persist
table trustednets {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from trustednets to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https}
rdr-to 127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from bruteforce
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload bruteforce flush global) rdr-to
10.40.60.1
pass on em0 from trustednets to any
--Branch Office--
cat /etc/ipsec.conf:
me=E.F.G.H
mypeer=A.B.C.D
mypsk=mypsk
ike esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
Firewall disabled for now - nothing other than sshd and isakmpd are
running.
Thanks,
Matt
Matt
did you put on the branch router a route like
route add A.B.C.D branch isp gateway ?
beware that if you issue just route add default 172.16.254.1 then your
router will tend to also route the vpn traffic through your tunnel, so
you get a race condition.
claudiu.
--
Claudiu Pruna clau...@net-go.net
supposing, as I understood, yhay you want to route ALL the branch's
Re: Routing all traffic through IPSEC VPN
Thank you for all of the help. I am effectively giving up on doing it this
way. OpenVPN seems to have facilities to make it easier to achieve what I want
to do. I appreciate all of the time and effort spent.
On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote:
Hi Claudiu:
Thank you for your reply. I did try your suggestion to do a route add
A.B.C.D.E isp gateway and unfortunately it did not work so well. I
lost connectivity to the branch altogether over the VPN. At least I
have console access :) Once I removed the route, I regained
connectivity over the vpn. Perhaps, I can show you the routing
tables, if that will help?
Main
Internet:
DestinationGatewayFlags Refs Use Mtu
Prio Iface
default phnx-dsl-gw55-247. UGS 19 1629401 -
8 tun0
10.40.60/24link#1 UC 20 -
4 em0
10.40.60.3 00:24:2c:07:d4:d0 UHLc 1 3217 -
4 em0
10.40.60.5 link#1 UHLc 1 847 -
4 em0
10.40.65/24172.16.254.2 UG 0 22 -
32 gre0
phnx-dsl-gw55-247. 71-223-148-144.phn UH 1 12 1492
4 tun0
loopback localhost UGRS 00 33200
8 lo0
localhost localhost UH 0 60 33200
4 lo0
172.16.254.1/32172.16.254.2 UG 00 -
32 gre0
172.16.254.2 172.16.254.1 UH 2 157 -
4 gre0
BASE-ADDRESS.MCAST localhost URS00 33200
8 lo0
Branch
DestinationGatewayFlags Refs Use Mtu
Prio Iface
default206.125.169.97 UGS311772 -
8 em0
10.40.60/24172.16.254.1 UG 1 50 -
32 gre0
10.40.65/24link#4 UC 10 -
4 vether0
10.40.65.1 fe:e1:ba:d0:da:7e UHLc 04 -
4 lo0
loopback localhost UGRS 00 33160
8 lo0
localhost localhost UH 1 60 33160
4 lo0
172.16.254.1 172.16.254.2 UH 2 87 -
4 gre0
172.16.254.2/32172.16.254.1 UG 00 -
32 gre0
206.125.169.96/29 link#1 UC 20 -
4 em0
206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 -
4 em0
matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 -
4 lo0
BASE-ADDRESS.MCAST localhost URS00 33160
8 lo0
On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic
through the
VPN. After googling, I seemed to come up with a suggestion to do a
route change
-net 0.0.0.0/0 gateway which didn't work well. I think it might
have to do
with NAT. The main office is doing the NAT. Perhaps I need to some
sort of NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me=A.B.C.D
mypeer=E.F.G.H
mypsk=mypsk
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in log all
pass out all
antispoof for tun0
table bruteforce persist
table trustednets {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from trustednets to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https}
rdr-to 127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from bruteforce
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload bruteforce flush global) rdr-to
10.40.60.1
pass on em0 from trustednets to any
--Branch Office--
cat /etc/ipsec.conf:
me=E.F.G.H
mypeer=A.B.C.D
mypsk=mypsk
ike esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
Firewall disabled for now - nothing other than sshd and isakmpd are
running.
Thanks,
Matt
Matt
did you put on the branch router a route like
route add A.B.C.D branch isp gateway ?
beware that if you issue just route add default 172.16.254.1 then your
router will
Re: Routing all traffic through IPSEC VPN
On Wed, Apr 13, 2011 at 02:53:29PM -0700, Matt S wrote:
Thank you for all of the help. I am effectively giving up on doing it this
way. OpenVPN seems to have facilities to make it easier to achieve what I
want
to do. I appreciate all of the time and effort spent.
There should be no difference in using OpenVPN or IPSEC, your problem is not
related to that. I'll try this again.
1. Make the VPN
2. Add a host route to the other-end external address through the local gateway.
3. Add the default gateway as the other-end VPN address.
So your tunnel will be able to reach the other side (the external host route).
Sorry but I'm a bit busy to understand your setup.
I'm sending you a script which does that.
On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote:
Hi Claudiu:
Thank you for your reply. I did try your suggestion to do a route add
A.B.C.D.E isp gateway and unfortunately it did not work so well. I
lost connectivity to the branch altogether over the VPN. At least I
have console access :) Once I removed the route, I regained
connectivity over the vpn. Perhaps, I can show you the routing
tables, if that will help?
Main
Internet:
DestinationGatewayFlags Refs Use Mtu
Prio Iface
default phnx-dsl-gw55-247. UGS 19 1629401 -
8 tun0
10.40.60/24link#1 UC 20 -
4 em0
10.40.60.3 00:24:2c:07:d4:d0 UHLc 1 3217 -
4 em0
10.40.60.5 link#1 UHLc 1 847 -
4 em0
10.40.65/24172.16.254.2 UG 0 22 -
32 gre0
phnx-dsl-gw55-247. 71-223-148-144.phn UH 1 12 1492
4 tun0
loopback localhost UGRS 00 33200
8 lo0
localhost localhost UH 0 60 33200
4 lo0
172.16.254.1/32172.16.254.2 UG 00 -
32 gre0
172.16.254.2 172.16.254.1 UH 2 157 -
4 gre0
BASE-ADDRESS.MCAST localhost URS00 33200
8 lo0
Branch
DestinationGatewayFlags Refs Use Mtu
Prio Iface
default206.125.169.97 UGS311772 -
8 em0
10.40.60/24172.16.254.1 UG 1 50 -
32 gre0
10.40.65/24link#4 UC 10 -
4 vether0
10.40.65.1 fe:e1:ba:d0:da:7e UHLc 04 -
4 lo0
loopback localhost UGRS 00 33160
8 lo0
localhost localhost UH 1 60 33160
4 lo0
172.16.254.1 172.16.254.2 UH 2 87 -
4 gre0
172.16.254.2/32172.16.254.1 UG 00 -
32 gre0
206.125.169.96/29 link#1 UC 20 -
4 em0
206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 -
4 em0
matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 -
4 lo0
BASE-ADDRESS.MCAST localhost URS00 33160
8 lo0
On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote:
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic
through the
VPN. After googling, I seemed to come up with a suggestion to do a
route change
-net 0.0.0.0/0 gateway which didn't work well. I think it might
have to do
with NAT. The main office is doing the NAT. Perhaps I need to some
sort of NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me=A.B.C.D
mypeer=E.F.G.H
mypsk=mypsk
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in log all
pass out all
antispoof for tun0
table bruteforce persist
table trustednets {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from trustednets to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https}
rdr-to 127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from bruteforce
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload bruteforce flush global) rdr-to
10.40.60.1
pass on em0 from trustednets to any
--Branch Office--
cat /etc/ipsec.conf:
Routing all traffic through IPSEC VPN
Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working
beautifully.
However, I would like the remote site to route all of its traffic through the
VPN. After googling, I seemed to come up with a suggestion to do a route
change
-net 0.0.0.0/0 gateway which didn't work well. I think it might have to do
with NAT. The main office is doing the NAT. Perhaps I need to some sort of
NAT
traversal on the VPN??
Here is my setup:
--Main Office--
cat /etc/ipsec.conf:
me=A.B.C.D
mypeer=E.F.G.H
mypsk=mypsk
ike passive esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.1 255.255.255.252 172.16.254.2
tunnel A.B.C.D E.F.G.H
!route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2
cat /etc/pf.conf:
set skip on {lo, gre0, enc0}
anchor ftp-proxy/*
block in log all
pass out all
antispoof for tun0
table bruteforce persist
table trustednets {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from trustednets to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https} rdr-to
127.0.0.1
port 3128
pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0)
block log quick from bruteforce
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state
(max-src-conn
6, max-src-conn-rate 3/1, overload bruteforce flush global) rdr-to 10.40.60.1
pass on em0 from trustednets to any
--Branch Office--
cat /etc/ipsec.conf:
me=E.F.G.H
mypeer=A.B.C.D
mypsk=mypsk
ike esp from $me to $mypeer peer $mypeer \
main auth hmac-sha1 enc 3des group modp1024 \
srcid $me dstid $mypeer \
psk $mypsk
cat /etc/hostname.gre0:
inet 172.16.254.2 255.255.255.252 172.16.254.1
tunnel E.F.G.H A.B.C.D
!route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1
Firewall disabled for now - nothing other than sshd and isakmpd are running.
Thanks,
Matt
