On 2013-07-04, Anders Berggren wrote:
> However, I think it's possible to use a gif tunnel for the
> tunnel encapsulation, and only use IPsec for the endpoint encryption.
> It would probably work, because unlike IPsec flows, it's not "source
> routed".
Matt Dainty got this to work w
I don't know why, but for some reason it just didn't occur to me that
doing that would set the source IP but of course it would. Hand -> Face
slap! ;)
Thanks :)
On Fri 05 Jul 2013 11:51:39 BST, Todd T. Fries wrote:
Penned by Andy on 20130704 9:25.40, we have:
| On Thu 04 Jul 2013 15:22:55 BS
Penned by Andy on 20130704 9:25.40, we have:
| On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote:
| >>I'd rather not have to create extra tunnels or define VPN policies with
subnets which have prefixes wider than the internal LANs.
| >>That leaves mangling, but I cannot see how I would do th
I use OSPFd on each OpenSBD firewall I deploy.
This way you get access to all machines on the remote LAN, including firewall
itself.
and you don't have to maintain routing manually.
//mxb
On 4 jul 2013, at 16:25, Andy wrote:
> On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote:
>>> I'd rat
On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote:
I'd rather not have to create extra tunnels or define VPN policies with subnets
which have prefixes wider than the internal LANs.
That leaves mangling, but I cannot see how I would do the mangling in PF to
make it work without doing a redi
> I'd rather not have to create extra tunnels or define VPN policies with
> subnets which have prefixes wider than the internal LANs.
> That leaves mangling, but I cannot see how I would do the mangling in PF to
> make it work without doing a redirect through the loopback etc.. Just
> wondering
PS; Its also not limited to netcat (if it were I would just use the -s
switch on netcat)..
I have other daemons on the remote firewalls that I need to also 'phone
home', and so I believe I need to do it by either changing/adding the
VPN policies or packet mangling with PF..
I'd rather not ha
>>> Perhaps you've created flows from our LAN network range only? If so, for a
>>> ping to work, you need to specify the local IP, like
>>> ping -I 192.168.1.1 192.168.2.1
>> how to change the source address for the 'netcat' command payload?
> According to http://www.openbsd.org/cgi-bin/man.cgi?qu
>> Perhaps you've created flows from our LAN network range only? If so, for a
>> ping to work, you need to specify the local IP, like
>> ping -I 192.168.1.1 192.168.2.1
> how to change the source address for the 'netcat' command payload?
According to http://www.openbsd.org/cgi-bin/man.cgi?query=n
Hi, Yes that does work and is the problem as mentioned, but I don't
know how to change the source address for the 'netcat' command payload?
Ping was just a test to see what is going on..
Cheers, Andy.
On Thu 04 Jul 2013 14:08:41 BST, Anders Berggren wrote:
When I try to do a ping or otherwise
> When I try to do a ping or otherwise on the remote firewalls to the head
> office lan, I get a 'no route to host' error which implies that the IPSec vpn
> policy route which can be seen in the 'route show' is not being used as the
> source IP of the ping/payload is not going to have the firewa
Hi misc,
We have what should be a simple VPN routing issue but I can't figure out
what to do with the IPSec config. We have many remote office firewalls
with IPSec tunnels linking to our head office (hub and spoke topology),
each defining Phase 2 policies mapping the remote internal networks t
12 matches
Mail list logo