Re: Routing issue with VPN tunnel [SOLVED]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Routing issue with VPN tunnel [SOLVED]

danial
Hi all,

The lo1 workaround worked.

There are some posts out there that explain this, or parts of it, and
here's my contribution.
The two threads I found most helpful can be googled:
"NAT on IPSEC with OpenBSD/pf/isakmpd"
"OT - NAT on IPsec"

The issues in question are mentioned earlier in this thread and I
won't repeat them.

1 - Create a loopback interface on which NATting will be done:
# cat /etc/hostname.lo1
inet 172.16.0.1 255.255.255.0 NONE description "IPsec NAT interface"

This should be an ip of a different subnet than your internal network.

2 - Add a static route to the remote network you are trying to reach:
route add 192.168.0.0/24 172.16.0.1

3 - Configure lo1 for nat (pf.conf):
nat on lo1 from $internal_net to 192.168.0.0/24 -> lo1

4 - Create pf.conf rules:
## ISAKMP VPN
pass on lo1 inet from lo1 to 192.168.0.0/24 keep state
# In
pass in on enc0 keep state (if-bound)
# Out
pass out on enc0 inet from lo1 to 192.168.0.0/24

pass on enc0 proto ipencap all keep state (if-bound)
pass on $ext_if inet proto esp all keep state
-----------
NB. Outgoing enc0 traffic rule must not contain "keep state"

5 - The ipsec tunnel/flows must of course be added with 172.16.0.1 as IPV4_ADDR.
[My-Net]
ID-Type=                IPV4_ADDR
Address=              172.16.0.1


Best regards,

Danial

/ Danial