Routing all traffic through IPSEC VPN
Hello @misc I seem to still be having some problems but I have made progress. The branch office cannot get out to the internet at large which I think may be a NAT problem. At least, when changing the default route on the branch office, I don't lose connectivity to it. On the branch office, the routing tables don't display unless I use netstat -rn -f inet. I also cannot traceroute. Kindly advise what pf rules and additionaly static routing is appropriate. --Main Office-- # The main office has a PPPoE connection to the internet cat /etc/pf.conf: pass all match out on tun0 from 10.40.60.0 to any nat-to (tun0) cat /etc/hostname.gre0: inet 172.16.254.1 255.255.255.255 172.16.254.2 link0 up tunnel hq.valleybusinesssolutions.us vps.valleybusinesssolutions.us route add -net 10.40.65.0/24 netstat -r: Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultphnx-dsl-gw55-247. UGS345750 - 8 tun0 10.40.60/24link#1 UC 10 - 4 em0 10.40.60.3 00:24:2c:07:d4:d0 UHLc 225728 - 4 em0 10.40.65/24172.16.254.2 UGS0 110 - 8 gif0 phnx-dsl-gw55-247. 71-223-156-37.phnx UH 18 1492 4 tun0 loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 00 33200 4 lo0 172.16.254.2 172.16.254.1 UH 1 68 - 4 gif0 BASE-ADDRESS.MCAST localhost URS00 33200 8 lo0 --Branch Office-- # The branch office has a cable-based internet connection cat /etc/pf.conf: pass all match out on em0 from 10.40.65.0 to any nat-to(em0) cat /etc/hostname.gre0: inet 172.16.254.2 255.255.255.255 172.16.254.1 link0 up tunnel vps.valleybusinesssolutions.us hq.valleybusinesssolutions.us route add -host hq.valleybusinesssolutions.us 206.125.169.97 #206.125.169.97 is the ISP's gateway route change default 172.16.254.1 netstat -rn -finet DestinationGatewayFlags Refs Use Mtu Prio Iface default172.16.254.1UGS0 98 - 8 gif0 10.40.65/24link#4UC 00 - 4 vether0 71.223.156.37 206.125.169.97 UGHS 0 201 - 8 em0 127/8 127.0.0.1 UGRS 00 33160 8 lo0 127.0.0.1 127.0.0.1 UH 12 33160 4 lo0 172.16.254.1 172.16.254.2 UH 2 91 - 4 gif0 206.125.169.96/29 link#1 UC 20 - 4 em0 206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 -4 em0 206.125.169.98 52:54:00:27:26:22 UHLc 00- 4 lo0 224/4 127.0.0.1 URS00 33160 8 lo0 Thank you again, Matt
Re: Routing all traffic through IPSEC VPN
Matt S P?P8QP5Q: Hello @misc: I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. However, I would like the remote site to route all of its traffic through the VPN. After googling, I seemed to come up with a suggestion to do a route change -net 0.0.0.0/0 which didn't work well. I think it might have to do with NAT. The main office is doing the NAT. Perhaps I need to some sort of NAT traversal on the VPN?? Hello. Here is working config. I have two nets 15.0/24 and 16.0/24. 16.0/24 have default gateway to Internet. between 15 and 16 setup IPSec. from 15 for lucky boys I setup tunnel to any. on router in 16 lucky boys go out with NAT. ===net 15.0= ipsec.conf remote_nets = "{ 192.168.16.0/24, 172.20.252.0/24}" nat_clients = "{ 192.168.15.10, 192.168.15.167, 192.168.15.170 }" flow esp from 192.168.15.0/24 to $remote_nets peer 192.168.10.1 flow esp from $nat_clients to any peer 192.168.10.1 esp from 192.168.10.2 to 192.168.10.1 ifconfig rl0: flags=28843 mtu 1500 lladdr 00:02:44:56:39:04 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.15.6 netmask 0xff00 broadcast 192.168.15.255 vr0: flags=28843 mtu 1500 lladdr 00:13:d3:36:f5:ce priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.10.2 netmask 0xff00 broadcast 192.168.10.255 route -n show Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.10.1 UGS 5 5440 - 8 vr0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 2 4 33200 4 lo0 192.168.10/24 link#2 UC 1 0 - 4 vr0 192.168.10.1 00:d0:b7:60:5f:5c UHLc 3 1357436 - 4 vr0 192.168.15/24 link#1 UC 38 0 - 4 rl0 Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) default 0 192.168.15.170/32 0 0 192.168.10.1/esp/require/in 192.168.15.170/32 0 default 0 0 192.168.10.1/esp/require/out default 0 192.168.15.167/32 0 0 192.168.10.1/esp/require/in 192.168.15.167/32 0 default 0 0 192.168.10.1/esp/require/out default 0 192.168.15.10/32 0 0 192.168.10.1/esp/require/in 192.168.15.10/32 0 default 0 0 192.168.10.1/esp/require/out 172.20.252/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in 192.168.15/24 0 172.20.252/24 0 0 192.168.10.1/esp/require/out 192.168.16/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in 192.168.15/24 0 192.168.16/24 0 0 192.168.10.1/esp/require/out net 16= local_nets = "{ 172.20.252.0/24, 192.168.16.0/24 }" flow esp from $local_nets to 192.168.15.0/24 peer 192.168.10.2 flow esp from any to { 192.168.15.10, 192.168.15.167, 192.168.15.170 } peer 192.168.10.2 esp from 192.168.10.1 to 192.168.10.2 fxp0: flags=28843 mtu 1500 lladdr 00:d0:b7:60:75:51 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.16.6 netmask 0xff00 broadcast 192.168.16.255 fxp1: flags=28843 mtu 1500 lladdr 00:d0:b7:60:5f:5c priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255 fxp2: flags=8843 mtu 1500 lladdr 00:d0:b7:60:5d:9c priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.20.252.36 netmask 0xfff8 broadcast 172.20.252.39 inet6 fe80::2d0:b7ff:fe60:5d9c%fxp2 prefixlen 64 scopeid 0x3 rl0: flags=8843 mtu 1500 lladdr 00:0d:88:45:68:aa priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.20.55 netmask 0xff00 broadcast 192.168.20.255 Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.16.8 UGS 6 14997670 - 8 fxp0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 2 11204 33200 4 lo0 172.20.252.32/29 link#3 UC 1 0 - 4 fxp2 172.20.252.38 00:03:7e:00:73:40 UHLc 0 4831569 - 4 fxp2 192.168.10/24 link#2 UC 2 0 - 4 fxp1 192.168.10.1 00:d0:b7:60:5f:5c UHLc 0 4 - 4 lo0 192.168.10.2 00:13:d3:36:f5:ce UHLc 15 102190836 - 4 fxp1 192.168.15/24 192.168.10.2 UGS 0 119979 - 8 fxp1 Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.15.170/32 0 default 0 0 192.168.10.2/esp/require/in default 0 192.168.15.170/32 0 0 192.168.10.2/esp/require/out 192.168.15.167/32 0 default 0 0 192.168.10.2/esp/require/in default 0 192.168.15.167/32 0 0 192.168.10.2/esp/require/out 192.168.15.10/32 0 default 0 0 192.168.10.2/esp/require/in default 0 192.168.15.10/32 0 0 192.168.10.2/esp/require/out 192.168.15/24 0 192.168.16/24 0 0 192.168.10.2/esp/require/in 192.168.16/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out 192.168.15/24 0 172.20.252/24 0 0 192.168.10.2/esp/require/in 172.20.252/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out host 192.168.16.8 doint NAT for lucky boys from 15.0/24: tracert mail.ru traceroute to mail.ru (94.100.191.204), 30 hops max, 40 byte packets 1 192.168.15.6 (192.168.15.6) 0.518 ms 0.475 ms 0.462 ms 2 192.168.10.1 (192.168.10.1) 3.331 ms 3.368 ms 3.357 ms 3 * * * 4 * * * 5 * * * 6 * *
Re: Routing all traffic through IPSEC VPN
On Wed, Apr 13, 2011 at 02:53:29PM -0700, Matt S wrote: > Thank you for all of the help. I am effectively giving up on doing it this > way. OpenVPN seems to have facilities to make it easier to achieve what I > want > to do. I appreciate all of the time and effort spent. > > There should be no difference in using OpenVPN or IPSEC, your problem is not related to that. I'll try this again. 1. Make the VPN 2. Add a host route to the other-end external address through the local gateway. 3. Add the default gateway as the other-end VPN address. So your tunnel will be able to reach the other side (the external host route). Sorry but I'm a bit busy to understand your setup. I'm sending you a script which does that. > On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote: > > Hi Claudiu: > > > > > > Thank you for your reply. I did try your suggestion to do a route add > > A.B.C.D.E and unfortunately it did not work so well. I > > lost connectivity to the branch altogether over the VPN. At least I > > have console access :) Once I removed the route, I regained > > connectivity over the vpn. Perhaps, I can show you the routing > > tables, if that will help? > > > > > > Main > > Internet: > > DestinationGatewayFlags Refs Use Mtu > > Prio Iface > > default phnx-dsl-gw55-247. UGS 19 1629401 - > > 8 tun0 > > 10.40.60/24link#1 UC 20 - > > 4 em0 > > 10.40.60.3 00:24:2c:07:d4:d0 UHLc 1 3217 - > > 4 em0 > > 10.40.60.5 link#1 UHLc 1 847 - > > 4 em0 > > 10.40.65/24172.16.254.2 UG 0 22 - > > 32 gre0 > > phnx-dsl-gw55-247. 71-223-148-144.phn UH 1 12 1492 > > 4 tun0 > > loopback localhost UGRS 00 33200 > > 8 lo0 > > localhost localhost UH 0 60 33200 > > 4 lo0 > > 172.16.254.1/32172.16.254.2 UG 00 - > > 32 gre0 > > 172.16.254.2 172.16.254.1 UH 2 157 - > > 4 gre0 > > BASE-ADDRESS.MCAST localhost URS00 33200 > > 8 lo0 > > > > > > Branch > > DestinationGatewayFlags Refs Use Mtu > > Prio Iface > > default206.125.169.97 UGS311772 - > > 8 em0 > > 10.40.60/24172.16.254.1 UG 1 50 - > > 32 gre0 > > 10.40.65/24link#4 UC 10 - > > 4 vether0 > > 10.40.65.1 fe:e1:ba:d0:da:7e UHLc 04 - > > 4 lo0 > > loopback localhost UGRS 00 33160 > > 8 lo0 > > localhost localhost UH 1 60 33160 > > 4 lo0 > > 172.16.254.1 172.16.254.2 UH 2 87 - > > 4 gre0 > > 172.16.254.2/32172.16.254.1 UG 00 - > > 32 gre0 > > 206.125.169.96/29 link#1 UC 20 - > > 4 em0 > > 206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 - > > 4 em0 > > matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 - > > 4 lo0 > > BASE-ADDRESS.MCAST localhost URS00 33160 > > 8 lo0 > > > > > > > > On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote: > > > Hello @misc: > > > > > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working > > beautifully. > > > However, I would like the remote site to route all of its traffic > > through the > > > VPN. After googling, I seemed to come up with a suggestion to do a > > route change > > > -net 0.0.0.0/0 which didn't work well. I think it might > > have to do > > > with NAT. The main office is doing the NAT. Perhaps I need to some > > sort of NAT > > > traversal on the VPN?? > > > > > > Here is my setup: > > > > > > --Main Office-- > > > cat /etc/ipsec.conf: > > > me="A.B.C.D" > > > mypeer="E.F.G.H" > > > mypsk="mypsk" > > > > > > ike passive esp from $me to $mypeer peer $mypeer \ > > > main auth hmac-sha1 enc 3des group modp1024 \ > > > srcid $me dstid $mypeer \ > > > psk $mypsk > > > > > > cat /etc/hostname.gre0: > > > inet 172.16.254.1 255.255.255.252 172.16.254.2 > > > tunnel A.B.C.D E.F.G.H > > > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 > > > > > > cat /etc/pf.conf: > > > set skip on {lo, gre0, enc0} > > > > > > anchor "ftp-proxy/*" > > > > > > block in log all > > > pass out all > > > > > > antispoof for tun0 > > > table persist > > > table {10.40.60.0/24, 10.40.65.0/24} > > > > > > match out on tun0 from to any nat-to (tun0) > > > > > > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > > > pass in quick proto tcp from localhost to any port {http,https} > > rdr-to 127.0.0.1 > > > port 3128 > > > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) > > > block log quick from > > > pass inet proto icmp all icmp-type {echoreq, unreach} > > > pass in
Re: Routing all traffic through IPSEC VPN
Thank you for all of the help. I am effectively giving up on doing it this way. OpenVPN seems to have facilities to make it easier to achieve what I want to do. I appreciate all of the time and effort spent. On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote: > Hi Claudiu: > > > Thank you for your reply. I did try your suggestion to do a route add > A.B.C.D.E and unfortunately it did not work so well. I > lost connectivity to the branch altogether over the VPN. At least I > have console access :) Once I removed the route, I regained > connectivity over the vpn. Perhaps, I can show you the routing > tables, if that will help? > > > Main > Internet: > DestinationGatewayFlags Refs Use Mtu > Prio Iface > default phnx-dsl-gw55-247. UGS 19 1629401 - > 8 tun0 > 10.40.60/24link#1 UC 20 - > 4 em0 > 10.40.60.3 00:24:2c:07:d4:d0 UHLc 1 3217 - > 4 em0 > 10.40.60.5 link#1 UHLc 1 847 - > 4 em0 > 10.40.65/24172.16.254.2 UG 0 22 - > 32 gre0 > phnx-dsl-gw55-247. 71-223-148-144.phn UH 1 12 1492 > 4 tun0 > loopback localhost UGRS 00 33200 > 8 lo0 > localhost localhost UH 0 60 33200 > 4 lo0 > 172.16.254.1/32172.16.254.2 UG 00 - > 32 gre0 > 172.16.254.2 172.16.254.1 UH 2 157 - > 4 gre0 > BASE-ADDRESS.MCAST localhost URS00 33200 > 8 lo0 > > > Branch > DestinationGatewayFlags Refs Use Mtu > Prio Iface > default206.125.169.97 UGS311772 - > 8 em0 > 10.40.60/24172.16.254.1 UG 1 50 - > 32 gre0 > 10.40.65/24link#4 UC 10 - > 4 vether0 > 10.40.65.1 fe:e1:ba:d0:da:7e UHLc 04 - > 4 lo0 > loopback localhost UGRS 00 33160 > 8 lo0 > localhost localhost UH 1 60 33160 > 4 lo0 > 172.16.254.1 172.16.254.2 UH 2 87 - > 4 gre0 > 172.16.254.2/32172.16.254.1 UG 00 - > 32 gre0 > 206.125.169.96/29 link#1 UC 20 - > 4 em0 > 206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 - > 4 em0 > matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 - > 4 lo0 > BASE-ADDRESS.MCAST localhost URS00 33160 > 8 lo0 > > > > On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote: > > Hello @misc: > > > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working > beautifully. > > However, I would like the remote site to route all of its traffic > through the > > VPN. After googling, I seemed to come up with a suggestion to do a > route change > > -net 0.0.0.0/0 which didn't work well. I think it might > have to do > > with NAT. The main office is doing the NAT. Perhaps I need to some > sort of NAT > > traversal on the VPN?? > > > > Here is my setup: > > > > --Main Office-- > > cat /etc/ipsec.conf: > > me="A.B.C.D" > > mypeer="E.F.G.H" > > mypsk="mypsk" > > > > ike passive esp from $me to $mypeer peer $mypeer \ > > main auth hmac-sha1 enc 3des group modp1024 \ > > srcid $me dstid $mypeer \ > > psk $mypsk > > > > cat /etc/hostname.gre0: > > inet 172.16.254.1 255.255.255.252 172.16.254.2 > > tunnel A.B.C.D E.F.G.H > > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 > > > > cat /etc/pf.conf: > > set skip on {lo, gre0, enc0} > > > > anchor "ftp-proxy/*" > > > > block in log all > > pass out all > > > > antispoof for tun0 > > table persist > > table {10.40.60.0/24, 10.40.65.0/24} > > > > match out on tun0 from to any nat-to (tun0) > > > > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > > pass in quick proto tcp from localhost to any port {http,https} > rdr-to 127.0.0.1 > > port 3128 > > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) > > block log quick from > > pass inet proto icmp all icmp-type {echoreq, unreach} > > pass in on tun0 inet proto tcp from any to any port ssh keep state > (max-src-conn > > 6, max-src-conn-rate 3/1, overload flush global) rdr-to > 10.40.60.1 > > pass on em0 from to any > > > > > > --Branch Office-- > > cat /etc/ipsec.conf: > > me="E.F.G.H" > > mypeer="A.B.C.D" > > mypsk="mypsk" > > > > ike esp from $me to $mypeer peer $mypeer \ > > main auth hmac-sha1 enc 3des group modp1024 \ > > srcid $me dstid $mypeer \ > > psk $mypsk > > > > cat /etc/hostname.gre0: > > inet 172.16.254.2 255.255.255.252 172.16.254.1 > > tunnel E.F.G.H A.B.C.D > > !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1 > > > > Firewall disabled for now - nothing other than sshd and isakmpd are > running. > > > > Thanks, > > Matt > > > > Matt > > did you put o
Re: Routing all traffic through IPSEC VPN
On Wed, 2011-04-13 at 07:34 -0700, Matt S wrote: > Hi Claudiu: > > > Thank you for your reply. I did try your suggestion to do a route add > A.B.C.D.E and unfortunately it did not work so well. I > lost connectivity to the branch altogether over the VPN. At least I > have console access :) Once I removed the route, I regained > connectivity over the vpn. Perhaps, I can show you the routing > tables, if that will help? > > > Main > Internet: > DestinationGatewayFlags Refs Use Mtu > Prio Iface > default phnx-dsl-gw55-247. UGS 19 1629401 - > 8 tun0 > 10.40.60/24link#1 UC 20 - > 4 em0 > 10.40.60.3 00:24:2c:07:d4:d0 UHLc 1 3217 - > 4 em0 > 10.40.60.5 link#1 UHLc 1 847 - > 4 em0 > 10.40.65/24172.16.254.2 UG 0 22 - > 32 gre0 > phnx-dsl-gw55-247. 71-223-148-144.phn UH 1 12 1492 > 4 tun0 > loopback localhost UGRS 00 33200 > 8 lo0 > localhost localhost UH 0 60 33200 > 4 lo0 > 172.16.254.1/32172.16.254.2 UG 00 - > 32 gre0 > 172.16.254.2 172.16.254.1 UH 2 157 - > 4 gre0 > BASE-ADDRESS.MCAST localhost URS00 33200 > 8 lo0 > > > Branch > DestinationGatewayFlags Refs Use Mtu > Prio Iface > default206.125.169.97 UGS311772 - > 8 em0 > 10.40.60/24172.16.254.1 UG 1 50 - > 32 gre0 > 10.40.65/24link#4 UC 10 - > 4 vether0 > 10.40.65.1 fe:e1:ba:d0:da:7e UHLc 04 - > 4 lo0 > loopback localhost UGRS 00 33160 > 8 lo0 > localhost localhost UH 1 60 33160 > 4 lo0 > 172.16.254.1 172.16.254.2 UH 2 87 - > 4 gre0 > 172.16.254.2/32172.16.254.1 UG 00 - > 32 gre0 > 206.125.169.96/29 link#1 UC 20 - > 4 em0 > 206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 - > 4 em0 > matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 - > 4 lo0 > BASE-ADDRESS.MCAST localhost URS00 33160 > 8 lo0 > > > > On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote: > > Hello @misc: > > > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working > beautifully. > > However, I would like the remote site to route all of its traffic > through the > > VPN. After googling, I seemed to come up with a suggestion to do a > route change > > -net 0.0.0.0/0 which didn't work well. I think it might > have to do > > with NAT. The main office is doing the NAT. Perhaps I need to some > sort of NAT > > traversal on the VPN?? > > > > Here is my setup: > > > > --Main Office-- > > cat /etc/ipsec.conf: > > me="A.B.C.D" > > mypeer="E.F.G.H" > > mypsk="mypsk" > > > > ike passive esp from $me to $mypeer peer $mypeer \ > > main auth hmac-sha1 enc 3des group modp1024 \ > > srcid $me dstid $mypeer \ > > psk $mypsk > > > > cat /etc/hostname.gre0: > > inet 172.16.254.1 255.255.255.252 172.16.254.2 > > tunnel A.B.C.D E.F.G.H > > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 > > > > cat /etc/pf.conf: > > set skip on {lo, gre0, enc0} > > > > anchor "ftp-proxy/*" > > > > block in log all > > pass out all > > > > antispoof for tun0 > > table persist > > table {10.40.60.0/24, 10.40.65.0/24} > > > > match out on tun0 from to any nat-to (tun0) > > > > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > > pass in quick proto tcp from localhost to any port {http,https} > rdr-to 127.0.0.1 > > port 3128 > > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) > > block log quick from > > pass inet proto icmp all icmp-type {echoreq, unreach} > > pass in on tun0 inet proto tcp from any to any port ssh keep state > (max-src-conn > > 6, max-src-conn-rate 3/1, overload flush global) rdr-to > 10.40.60.1 > > pass on em0 from to any > > > > > > --Branch Office-- > > cat /etc/ipsec.conf: > > me="E.F.G.H" > > mypeer="A.B.C.D" > > mypsk="mypsk" > > > > ike esp from $me to $mypeer peer $mypeer \ > > main auth hmac-sha1 enc 3des group modp1024 \ > > srcid $me dstid $mypeer \ > > psk $mypsk > > > > cat /etc/hostname.gre0: > > inet 172.16.254.2 255.255.255.252 172.16.254.1 > > tunnel E.F.G.H A.B.C.D > > !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1 > > > > Firewall disabled for now - nothing other than sshd and isakmpd are > running. > > > > Thanks, > > Matt > > > > Matt > > did you put on the branch router a route like > route add A.B.C.D ? > > beware that if you issue just route add default 172.16.254.1 then your > router will tend to also route the vpn traffic through your tunnel, so > you get
Re: Routing all traffic through IPSEC VPN
Christiano: Thanks for your help. So, if I am understanding correctly, I need to create the following routes on the branch office router (OpenBSD): route change -net 0.0.0.0/0 172.16.254.2 #I tried using 10.40.60.1 as the gateway and I got a network unreachable error route add -host 172.16.254.2 A.B.C.D.E My setup is using a GRE tunnel. I have the GRE Tunnel endpoints configured on /30 subnet. There might be a gap in my understanding. Thank you again, Matt On 12 April 2011 23:53, Matt S wrote: > Hello @misc: > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working >beautifully. > However, I would like the remote site to route all of its traffic through the > VPN. After googling, I seemed to come up with a suggestion to do a route >change > -net 0.0.0.0/0 which didn't work well. I think it might have to do > with NAT. The main office is doing the NAT. Perhaps I need to some sort of >NAT > traversal on the VPN?? > > Here is my setup: > > --Main Office-- > cat /etc/ipsec.conf: > me="A.B.C.D" > mypeer="E.F.G.H" > mypsk="mypsk" > > ike passive esp from $me to $mypeer peer $mypeer \ > main auth hmac-sha1 enc 3des group modp1024 \ > srcid $me dstid $mypeer \ > psk $mypsk > > cat /etc/hostname.gre0: > inet 172.16.254.1 255.255.255.252 172.16.254.2 > tunnel A.B.C.D E.F.G.H > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 > > cat /etc/pf.conf: > set skip on {lo, gre0, enc0} > > anchor "ftp-proxy/*" > > block in log all > pass out all > > antispoof for tun0 > table persist > table {10.40.60.0/24, 10.40.65.0/24} > > match out on tun0 from to any nat-to (tun0) > > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > pass in quick proto tcp from localhost to any port {http,https} rdr-to >127.0.0.1 > port 3128 > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) > block log quick from > pass inet proto icmp all icmp-type {echoreq, unreach} > pass in on tun0 inet proto tcp from any to any port ssh keep state >(max-src-conn > 6, max-src-conn-rate 3/1, overload flush global) rdr-to 10.40.60.1 > pass on em0 from to any > > > --Branch Office-- > cat /etc/ipsec.conf: > me="E.F.G.H" > mypeer="A.B.C.D" > mypsk="mypsk" > > ike esp from $me to $mypeer peer $mypeer \ > main auth hmac-sha1 enc 3des group modp1024 \ > srcid $me dstid $mypeer \ > psk $mypsk > > cat /etc/hostname.gre0: > inet 172.16.254.2 255.255.255.252 172.16.254.1 > tunnel E.F.G.H A.B.C.D > !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1 > > Firewall disabled for now - nothing other than sshd and isakmpd are running. > > Thanks, > Matt > > I do that with openvpn. You need to add a default route to the other vpn end (so that every traffic goes through the tunnel) Then you add a host route to the external address of the other way via the local gateway (so that the tunnel will work). Since host routes have priority over network routes, this works fine. You obviously need to nat the incoming traffic from the tunnel to the outside world.
Re: Routing all traffic through IPSEC VPN
On 12 April 2011 23:53, Matt S wrote: > Hello @misc: > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. > However, I would like the remote site to route all of its traffic through the > VPN. After googling, I seemed to come up with a suggestion to do a route change > -net 0.0.0.0/0 which didn't work well. I think it might have to do > with NAT. The main office is doing the NAT. Perhaps I need to some sort of NAT > traversal on the VPN?? > > Here is my setup: > > --Main Office-- > cat /etc/ipsec.conf: > me="A.B.C.D" > mypeer="E.F.G.H" > mypsk="mypsk" > > ike passive esp from $me to $mypeer peer $mypeer \ > main auth hmac-sha1 enc 3des group modp1024 \ > srcid $me dstid $mypeer \ > psk $mypsk > > cat /etc/hostname.gre0: > inet 172.16.254.1 255.255.255.252 172.16.254.2 > tunnel A.B.C.D E.F.G.H > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 > > cat /etc/pf.conf: > set skip on {lo, gre0, enc0} > > anchor "ftp-proxy/*" > > block in log all > pass out all > > antispoof for tun0 > table persist > table {10.40.60.0/24, 10.40.65.0/24} > > match out on tun0 from to any nat-to (tun0) > > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > pass in quick proto tcp from localhost to any port {http,https} rdr-to 127.0.0.1 > port 3128 > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) > block log quick from > pass inet proto icmp all icmp-type {echoreq, unreach} > pass in on tun0 inet proto tcp from any to any port ssh keep state (max-src-conn > 6, max-src-conn-rate 3/1, overload flush global) rdr-to 10.40.60.1 > pass on em0 from to any > > > --Branch Office-- > cat /etc/ipsec.conf: > me="E.F.G.H" > mypeer="A.B.C.D" > mypsk="mypsk" > > ike esp from $me to $mypeer peer $mypeer \ > main auth hmac-sha1 enc 3des group modp1024 \ > srcid $me dstid $mypeer \ > psk $mypsk > > cat /etc/hostname.gre0: > inet 172.16.254.2 255.255.255.252 172.16.254.1 > tunnel E.F.G.H A.B.C.D > !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1 > > Firewall disabled for now - nothing other than sshd and isakmpd are running. > > Thanks, > Matt > > I do that with openvpn. You need to add a default route to the other vpn end (so that every traffic goes through the tunnel) Then you add a host route to the external address of the other way via the local gateway (so that the tunnel will work). Since host routes have priority over network routes, this works fine. You obviously need to nat the incoming traffic from the tunnel to the outside world.
Re: Routing all traffic through IPSEC VPN
Hi Claudiu: Thank you for your reply. I did try your suggestion to do a route add A.B.C.D.E and unfortunately it did not work so well. I lost connectivity to the branch altogether over the VPN. At least I have console access :) Once I removed the route, I regained connectivity over the vpn. Perhaps, I can show you the routing tables, if that will help? Main Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default phnx-dsl-gw55-247. UGS 19 1629401 - 8 tun0 10.40.60/24link#1 UC 20 - 4 em0 10.40.60.3 00:24:2c:07:d4:d0 UHLc 1 3217 - 4 em0 10.40.60.5 link#1 UHLc 1 847 - 4 em0 10.40.65/24172.16.254.2 UG 0 22 -32 gre0 phnx-dsl-gw55-247. 71-223-148-144.phn UH 1 12 1492 4 tun0 loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 0 60 33200 4 lo0 172.16.254.1/32172.16.254.2 UG 00 -32 gre0 172.16.254.2 172.16.254.1 UH 2 157 - 4 gre0 BASE-ADDRESS.MCAST localhost URS00 33200 8 lo0 Branch DestinationGatewayFlags Refs Use Mtu Prio Iface default206.125.169.97 UGS311772 - 8 em0 10.40.60/24172.16.254.1 UG 1 50 -32 gre0 10.40.65/24link#4 UC 10 - 4 vether0 10.40.65.1 fe:e1:ba:d0:da:7e UHLc 04 - 4 lo0 loopback localhost UGRS 00 33160 8 lo0 localhost localhost UH 1 60 33160 4 lo0 172.16.254.1 172.16.254.2 UH 2 87 - 4 gre0 172.16.254.2/32172.16.254.1 UG 00 -32 gre0 206.125.169.96/29 link#1 UC 20 - 4 em0 206.125.169.97 00:0d:65:ab:c8:bf UHLc 10 - 4 em0 matthew-schwartz.c 52:54:00:27:26:22 UHLc 00 - 4 lo0 BASE-ADDRESS.MCAST localhost URS00 33160 8 lo0 On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote: > Hello @misc: > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working >beautifully. > > However, I would like the remote site to route all of its traffic through > the > VPN. After googling, I seemed to come up with a suggestion to do a route >change > > -net 0.0.0.0/0 which didn't work well. I think it might have to do > with NAT. The main office is doing the NAT. Perhaps I need to some sort of >NAT > > traversal on the VPN?? > > Here is my setup: > > --Main Office-- > cat /etc/ipsec.conf: > me="A.B.C.D" > mypeer="E.F.G.H" > mypsk="mypsk" > > ike passive esp from $me to $mypeer peer $mypeer \ > main auth hmac-sha1 enc 3des group modp1024 \ > srcid $me dstid $mypeer \ > psk $mypsk > > cat /etc/hostname.gre0: > inet 172.16.254.1 255.255.255.252 172.16.254.2 > tunnel A.B.C.D E.F.G.H > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 > > cat /etc/pf.conf: > set skip on {lo, gre0, enc0} > > anchor "ftp-proxy/*" > > block in log all > pass out all > > antispoof for tun0 > table persist > table {10.40.60.0/24, 10.40.65.0/24} > > match out on tun0 from to any nat-to (tun0) > > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > pass in quick proto tcp from localhost to any port {http,https} rdr-to >127.0.0.1 > > port 3128 > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) > block log quick from > pass inet proto icmp all icmp-type {echoreq, unreach} > pass in on tun0 inet proto tcp from any to any port ssh keep state >(max-src-conn > > 6, max-src-conn-rate 3/1, overload flush global) rdr-to 10.40.60.1 > pass on em0 from to any > > > --Branch Office-- > cat /etc/ipsec.conf: > me="E.F.G.H" > mypeer="A.B.C.D" > mypsk="mypsk" > > ike esp from $me to $mypeer peer $mypeer \ > main auth hmac-sha1 enc 3des group modp1024 \ > srcid $me dstid $mypeer \ > psk $mypsk > > cat /etc/hostname.gre0: > inet 172.16.254.2 255.255.255.252 172.16.254.1 > tunnel E.F.G.H A.B.C.D > !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1 > > Firewall disabled for now - nothing other than sshd and isakmpd are running. > > Thanks, > Matt > Matt did you put on the branch router a route like route add A.B.C.D ? beware that if you issue just route add default 172.16.254.1 then your router will tend to also route the vpn traffic through your tunnel, so you get a race condition. claudiu. -- Claudiu Pruna
Re: Routing all traffic through IPSEC VPN
On Tue, 2011-04-12 at 19:53 -0700, Matt S wrote: > Hello @misc: > > I am up against a stumper. I have a Site-to-Site IPSEC VPN working > beautifully. > However, I would like the remote site to route all of its traffic through > the > VPN. After googling, I seemed to come up with a suggestion to do a route > change > -net 0.0.0.0/0 which didn't work well. I think it might have to do > with NAT. The main office is doing the NAT. Perhaps I need to some sort of > NAT > traversal on the VPN?? > > Here is my setup: > > --Main Office-- > cat /etc/ipsec.conf: > me="A.B.C.D" > mypeer="E.F.G.H" > mypsk="mypsk" > > ike passive esp from $me to $mypeer peer $mypeer \ > main auth hmac-sha1 enc 3des group modp1024 \ > srcid $me dstid $mypeer \ > psk $mypsk > > cat /etc/hostname.gre0: > inet 172.16.254.1 255.255.255.252 172.16.254.2 > tunnel A.B.C.D E.F.G.H > !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 > > cat /etc/pf.conf: > set skip on {lo, gre0, enc0} > > anchor "ftp-proxy/*" > > block in log all > pass out all > > antispoof for tun0 > table persist > table {10.40.60.0/24, 10.40.65.0/24} > > match out on tun0 from to any nat-to (tun0) > > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > pass in quick proto tcp from localhost to any port {http,https} rdr-to > 127.0.0.1 > port 3128 > pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) > block log quick from > pass inet proto icmp all icmp-type {echoreq, unreach} > pass in on tun0 inet proto tcp from any to any port ssh keep state > (max-src-conn > 6, max-src-conn-rate 3/1, overload flush global) rdr-to > 10.40.60.1 > pass on em0 from to any > > > --Branch Office-- > cat /etc/ipsec.conf: > me="E.F.G.H" > mypeer="A.B.C.D" > mypsk="mypsk" > > ike esp from $me to $mypeer peer $mypeer \ > main auth hmac-sha1 enc 3des group modp1024 \ > srcid $me dstid $mypeer \ > psk $mypsk > > cat /etc/hostname.gre0: > inet 172.16.254.2 255.255.255.252 172.16.254.1 > tunnel E.F.G.H A.B.C.D > !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1 > > Firewall disabled for now - nothing other than sshd and isakmpd are running. > > Thanks, > Matt > Matt did you put on the branch router a route like route add A.B.C.D ? beware that if you issue just route add default 172.16.254.1 then your router will tend to also route the vpn traffic through your tunnel, so you get a race condition. claudiu. -- Claudiu Pruna
Routing all traffic through IPSEC VPN
Hello @misc: I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. However, I would like the remote site to route all of its traffic through the VPN. After googling, I seemed to come up with a suggestion to do a route change -net 0.0.0.0/0 which didn't work well. I think it might have to do with NAT. The main office is doing the NAT. Perhaps I need to some sort of NAT traversal on the VPN?? Here is my setup: --Main Office-- cat /etc/ipsec.conf: me="A.B.C.D" mypeer="E.F.G.H" mypsk="mypsk" ike passive esp from $me to $mypeer peer $mypeer \ main auth hmac-sha1 enc 3des group modp1024 \ srcid $me dstid $mypeer \ psk $mypsk cat /etc/hostname.gre0: inet 172.16.254.1 255.255.255.252 172.16.254.2 tunnel A.B.C.D E.F.G.H !route add -net 10.40.65 -netmask 255.255.255.0 172.16.254.2 cat /etc/pf.conf: set skip on {lo, gre0, enc0} anchor "ftp-proxy/*" block in log all pass out all antispoof for tun0 table persist table {10.40.60.0/24, 10.40.65.0/24} match out on tun0 from to any nat-to (tun0) pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick proto tcp from localhost to any port {http,https} rdr-to 127.0.0.1 port 3128 pass quick proto {gre, esp, tcp, udp} from E.F.G.H to (tun0) block log quick from pass inet proto icmp all icmp-type {echoreq, unreach} pass in on tun0 inet proto tcp from any to any port ssh keep state (max-src-conn 6, max-src-conn-rate 3/1, overload flush global) rdr-to 10.40.60.1 pass on em0 from to any --Branch Office-- cat /etc/ipsec.conf: me="E.F.G.H" mypeer="A.B.C.D" mypsk="mypsk" ike esp from $me to $mypeer peer $mypeer \ main auth hmac-sha1 enc 3des group modp1024 \ srcid $me dstid $mypeer \ psk $mypsk cat /etc/hostname.gre0: inet 172.16.254.2 255.255.255.252 172.16.254.1 tunnel E.F.G.H A.B.C.D !route add -net 10.40.60 -netmask 255.255.255.0 172.16.254.1 Firewall disabled for now - nothing other than sshd and isakmpd are running. Thanks, Matt