Re: Routing to host over IPsec
--- Quoting RW on 2007/04/30 at 16:52 +1000: Existing setup: Head Office: WAN IP=165.x.y.z LAN = 172.22.22.0/24 Extranet gateway = 10.x.y.1 Branch Office: WAN IP=150.x.y.z LAN= 172.22.23.0/24 IPsec endpoints are OpenBSD firewalls and LAN to LAN connectivity is fine. My challenge is to get traffic to pass from a host on the Branch LAN over the IPsec tunnel to a host on the Extranet via gateway 10.x.y.1. If I could add a route entry that used the LAN IP of the H/O firewall life would be easy but of course addresses the are only visible through IPsec don't appear in the routing table to be used as the next hop. Is there a way to do this using either route or pf or ipsec itself? Some other method? I have to be able to get traffic to several hosts on the extranet (and get the replies back!) and they are only reachable via the extranet gateway on the head office firewall. Cluestick, anybody? Setup your flows appropriately on the branch ipsec gateway to get traffic over the tunnel and to the head office. On the HO endpoint, setup a normal route to push the traffic to the extranet gateway. .joel
Re: Routing to host over IPsec
On Mon, 7 May 2007 23:01:15 -0600, Joel Knight wrote: --- Quoting RW on 2007/04/30 at 16:52 +1000: Existing setup: Head Office: WAN IP=165.x.y.z LAN = 172.22.22.0/24 Extranet gateway = 10.x.y.1 Branch Office: WAN IP=150.x.y.z LAN= 172.22.23.0/24 IPsec endpoints are OpenBSD firewalls and LAN to LAN connectivity is fine. My challenge is to get traffic to pass from a host on the Branch LAN over the IPsec tunnel to a host on the Extranet via gateway 10.x.y.1. If I could add a route entry that used the LAN IP of the H/O firewall life would be easy but of course addresses the are only visible through IPsec don't appear in the routing table to be used as the next hop. Is there a way to do this using either route or pf or ipsec itself? Some other method? I have to be able to get traffic to several hosts on the extranet (and get the replies back!) and they are only reachable via the extranet gateway on the head office firewall. Cluestick, anybody? Setup your flows appropriately on the branch ipsec gateway to get traffic over the tunnel and to the head office. On the HO endpoint, setup a normal route to push the traffic to the extranet gateway. Thanx for replying. For the record: All the flows needed to do FW-FW + LAN-FW + FW-LAN + LAN-LAN were already setup and working just fine. A route doesn't need to be added at HO to find the extranet as it terminates on the firewall just as the tunnel did. What solved it for me was to add a flow from the branch LAN to the extranet IP on the f/wall and vice versa. That is probably bleedin' obvious to IPsec gurus (which I ain't) but intuition said that I should be able to do it with some routing entries alone. Not so, it seems. Rod/ Write a wise saying and your name will live on forever. - Anonymous
Routing to host over IPsec
Existing setup: Head Office: WAN IP=165.x.y.z LAN = 172.22.22.0/24 Extranet gateway = 10.x.y.1 Branch Office: WAN IP=150.x.y.z LAN= 172.22.23.0/24 IPsec endpoints are OpenBSD firewalls and LAN to LAN connectivity is fine. My challenge is to get traffic to pass from a host on the Branch LAN over the IPsec tunnel to a host on the Extranet via gateway 10.x.y.1. If I could add a route entry that used the LAN IP of the H/O firewall life would be easy but of course addresses the are only visible through IPsec don't appear in the routing table to be used as the next hop. Is there a way to do this using either route or pf or ipsec itself? Some other method? I have to be able to get traffic to several hosts on the extranet (and get the replies back!) and they are only reachable via the extranet gateway on the head office firewall. Cluestick, anybody? Rod/ Write a wise saying and your name will live on forever. - Anonymous