DaemonForums - View Single Post - need troubleshooting tip for vpn connections

badguy · #5 **(View Single Post)** 27th October 2010

VPN 2 - OpenBSD 4.6
Hostname em0
inet 10.4.1.1 255.255.0.0 NONE

hostname em1
inet 1.8.15.3 255.255.255.0 NONE

hostname enc0
up

ipsec.conf
ike esp from 10.4.0.0/16 to 10.1.0.0/16 peer 1.8.64.7
ike esp from 10.4.0.0/16 to 10.2.0.0/16 peer 1.8.38.5
ike esp from 10.4.0.0/16 to 10.3.0.0/16 peer 1.8.38.5

ike esp from 1.8.15.3 to 1.8.38.5
ike esp from 1.8.15.3 to 1.8.64.7

pf.conf
int_if = em0
ext_if = em2

int_ip = 10.4.1.1
ext_ip = 1.8.15.3
peer_ip = "{1.8.64.7, 1.8.38.5}"

lan_net = "10.4.0.0/16"
peer_net = "{10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16}"

set skip on lo0

match in scrub (no-df)

nat on $ext_if from $lan_net to any -> $ext_ip

block in log all

pass in quick on $int_if from $lan_net to any

pass out on $ext_if proto icmp from $ext_ip to any

pass in inet proto tcp from any to $int_if port ssh

pass out on $ext_if proto udp from any to any port 53 keep state

pass in on $ext_if proto udp from $peer_ip to $ext_ip port {500, 4500}
pass out on $ext_if proto udp from $ext_ip to $peer_ip port {500, 4500}

pass in on $ext_if proto esp from $peer_ip to $ext_ip
pass out on $ext_if proto esp from $ext_ip to $peer_ip

pass in on enc0 from $peer_ip to $ext_ip keep state (if-bound)
pass out on enc0 from $ext_ip to $peer_ip keep state (if-bound)

pass in on enc0 from $peer_net to $lan_net keep state (if-bound)
pass out on enc0 from $lan_net to $peer_net keep state (if-bound)

pass out on $int_if from $peer_net to $lan_net keep state (if-bound)
pass in on $int_if from $lan_net to $peer_net keep state (if-bound)

pass out on $int_if from $int_ip to $lan_net

antispoof log for $ext_if
antispoof log for $int_if

VPN 3 - OpenBSD
Hostname em0
10.1.1.254 255.255.0.0 NONE

Hostname em1
inet 1.8.64.7 255.255.0.0 NONE

hostname en0
up

ipsec.conf
ike esp from 10.1.0.0/16 to 10.2.0.0/16 peer 1.8.38.5

ike esp from 10.1.0.0/16 to 10.3.0.0/16 peer 1.8.38.5

ike passive esp from 10.1.0.0/16 to 10.4.0.0/16 peer 1.8.15.3

ike esp from 1.8.64.7 to 1.8.38.5
ike passive esp from 1.8.64.7 to 1.8.15.3

pf.conf
ext_if = "em1"
int_if = "em0"

ext_ip = "1.8.64.7"
int_ip = "10.1.1.254"
peer_ip= "{ 1.8.38.5, 1.8.15.3 }"

lan_net = "10.1.0.0/16"
peer_net= "{ 10.2.0.0/16, 10.3.0.0/16, 10.4.0.0/16 }"

admin_ip= "10.0.0.0/8"

set skip on lo0

block log all

pass in on $ext_if proto udp from $peer_ip to $ext_ip port {500, 4500}
pass out on $ext_if proto udp from $ext_ip to $peer_ip port {500, 4500}

pass in on $ext_if proto esp from $peer_ip to $ext_ip
pass out on $ext_if proto esp from $ext_ip to $peer_ip

pass in on enc0 from $peer_ip to $ext_ip keep state (if-bound)
pass out on enc0 from $ext_ip to $peer_ip keep state (if-bound)

pass in on enc0 from $peer_net to $lan_net keep state (if-bound)
pass out on enc0 from $lan_net to $peer_net keep state (if-bound)

pass out on $int_if from $peer_net to $lan_net keep state (if-bound)
pass in on $int_if from $lan_net to $peer_net keep state (if-bound)

pass in on $int_if proto tcp from $admin_ip to $int_ip port ssh
pass out on $int_if proto tcp from $int_ip to $admin_ip port ssh

pass in on $ext_if proto tcp from any to $ext_ip port ssh
pass out on $ext_if proto tcp from $ext_ip to any port ssh
pass out on $int_if from $int_ip to $lan_net