View Single Post
  #3   (View Single Post)  
Old 26th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

Sorry for the multi-post. I just felt this was a different topic so i decided to create another post. This is actually a different project from the previous post as I am using IP add in this but will be using dns names for the second project (previous thread). Do not want you to mix them up.

Let me know if I left out any important config.

Ipsec.conf
#Traffic from A VPN
ike passive esp from 10.3.0.0/16 to 10.1.0.0/16 peer 1.8.64.7
#Traffic from A Network
ike passive esp from 10.2.0.0/16 to 10.1.0.0/16 peer 1.8.64.7

#Traffic to C
ike passive esp from 10.3.0.0/16 to 10.4.0.0/16 peer 1.8.15.3
#Traffic from A Network
ike passive esp from 10.2.0.0/16 to 10.4.0.0/16 peer 1.8.15.3

ike passive esp from 1.8.38.5 to 1.8.64.7
ike passive esp from 1.8.38.5 to 1.8.15.3

pf.conf
ext_ip = "1.8.38.5"
int_ip = "10.2.1.5"
peer_ip= "{1.8.64.7, 1.8.15.3}"

lan_net = "{ 10.2.0.0/16, 10.3.0.0/16}"
peer_net= "{10.1.0.0/16, 10.4.0.0/16}"

admin_ip= "10.0.0.0/8"

set skip on lo0

block log all

pass in on $ext_if proto udp from $peer_ip to $ext_ip port {500, 4500}
pass out on $ext_if proto udp from $ext_ip to $peer_ip port {500, 4500}

pass in on $ext_if proto esp from $peer_ip to $ext_ip
pass out on $ext_if proto esp from $ext_ip to $peer_ip

pass in on enc0 from $peer_ip to $ext_ip keep state (if-bound)
pass out on enc0 from $ext_ip to $peer_ip keep state (if-bound)

pass in on enc0 from $peer_net to $lan_net keep state (if-bound)
pass out on enc0 from $lan_net to $peer_net keep state (if-bound)

pass out on $int_if from $peer_net to $lan_net keep state (if-bound)
pass in on $int_if from $lan_net to $peer_net keep state (if-bound)

pass in on $int_if proto tcp from $admin_ip to $int_ip port ssh
pass out on $int_if proto tcp from $int_ip to $admin_ip port ssh

pass out on $int_if from $int_ip to $lan_net

hostname em1
inet 1.8.38.5 255.255.254.0 NONE

hostname em3
inet 10.2.1.5 255.255.0.0 NONE

hostname enc0
up

Last edited by badguy; 27th October 2010 at 03:38 PM.
Reply With Quote