View Single Post
  #1   (View Single Post)  
Old 4th June 2009
bertonumnum bertonumnum is offline
New User
 
Join Date: Jun 2009
Posts: 3
Default Road Warrior in VPN Purgatory

So I've been trying to get a road warrior IPsec setup (like millions of others) and have pretty much got it done except one little thing...the remote PC can only access the VPN box and ping everything inside but nothing else. I've looked at pf.conf, ipsec.conf, isakmpd.conf and isakmpd.policy to no avail. If anyone could lift me from this IPsec purgatory I would be eternally grateful. Here's the setup:

PC (external) --> OpenBSD 4.4 (VPN/FW Box) --> Internal Net

pf.conf
=======
ext_if="fxp0"
trunk_if="trunk0" # Internal Trunk Group
ext_net = "192.168.1.0/24"
int_net = "192.168.0.0/24"

srv_int = "192.168.0.56" # Internal Server
gw_ext = "10.10.10.1" # External IP on the VPN

#table <spamd-white> persist

set skip on lo
set skip on enc0
scrub in all

nat on $ext_if from !($ext_if) -> ($ext_if:0)

# Redirection for redir for webserver
rdr on $ext_if proto tcp from any to $gw_ext port { www https } -> $srv_int

block in
pass out

#pass quick on $int_if no state
antispoof quick for { lo $trunk_if }

# Allow ESP encapsulated IPsec traffic on the external interface
pass in on $ext_if proto esp from $ext_net to $gw_ext
pass out on $ext_if proto esp from $gw_ext to $ext_net

# Allow isakmpd(8) traffic on the external interface
pass in on $ext_if proto udp from $ext_net to $gw_ext port {isakmp, ipsec-nat-t}
pass out on $ext_if proto udp from $gw_ext to $ext_net port {isakmp, ipsec-nat-t}

# Allow IP-in-IP traffic between the gateways on the enc(4) interface
pass in on enc0 proto ipencap from $ext_net to $gw_ext keep state (if-bound)
pass out on enc0 proto ipencap from $gw_ext to $ext_net keep state (if-bound)

# Filter unencrypted VPN traffic on the enc(4) interface
pass in on enc0 from $ext_net to $trunk_if:network keep state (if-bound)
pass out on enc0 from $trunk_if:network to $ext_net keep state (if-bound)

# A bunch of port/service rules you don't care about...

# Squid transparent proxy on the VPN box for internal users
pass in on $trunk_if inet proto tcp from $int_net to localhost port 3128
pass out on $ext_if inet proto tcp from localhost to any port www

pass quick on $trunk_if
-----------------------------------------------------------
isakmpd.policy
==============
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
doi == "ipsec" &&
pfs == "yes" &&
esp_present == "yes" &&
esp_enc_alg == "aes" -> "true";

-----------------------------------------------------------
isakmpd.conf
============
[General]
Listen-On = 10.10.10.1

[Phase 1]
# Default = <ISAKMP-peer>
Default = client

[Phase 2]
# Passive-connections = <IPsec connection>
Passive-connections = client-netB

# <ISAKMP-peer>
[client]
Phase = 1
Transport = udp
# Configuration = <ISAKMP-configuration>
Configuration = Default-main-mode
Authentication = sharedsecret

# <IPsec connection>
[client-netB]
Phase = 2
ISAKMP-peer = client
# Configuration = <IPsec-configuration>
Configuration = Default-quick-mode
# Local-ID = <IPsec-ID>
Local-ID = netB
# Remote-ID = <IPsec-ID>
Remote-ID = client

# <IPsec-ID>
[client]
ID-type = IPV4_ADDR
Address = 0.0.0.0

# <IPsec-ID>
[netB]
ID-type = IPV4_ADDR_SUBNET
Network = 0.0.0.0
Netmask = 0.0.0.0

# <ISAKMP-configuration>
[Default-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = AGGRESSIVE
# Transforms = <ISAKMP-transform>
Transforms = AES-256-SHA

# <IPsec-configuration>
[Default-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
# Suites = <IPsec-suite>
Suites = QM-ESP-AES-256-SHA-PFS-SUITE

---------------------------------------------------
ipsec.conf
==========
ike passive esp from $gw_ext to $ext_net
ike dynamic esp from $int_net to $ext_net

---------------------------------------------------

So when a PC on the outside connects, it has full access to the VPN box but can't get beyond it inside the int_net. It can however icmp ping inside everywhere. On a box on the inside net, an arp -a yields:

# arp -a
? (192.168.0.165) at (incomplete) on trunk0

So packets get to the inside boxes from the outside PC, but the internal boxes don't get an arp response for the outside PC.

Any help would be EXTREMELY appreciated!
Reply With Quote