|
|||
IPsec/pf setup
Hello!
I've been playing around with IPsec lately (4.9-current), and it seems to be working just fine. Connectivity is how I want it, and tcpdumps on interfaces looks good too, and nothing weird in logs. But as it feels fairly complicated to get a grasp on this, it would be nice with some feedback or fresh eyes on the setup, especially the pf-stuff in case there are some glaring obvious hole(s) or stupid stuff somewhere = The basic setup is a pretty common scenario, a laptop on a rfc1918-net behind a crappy wireless router somewhere (with a dynamic IP) wants an IPsec tunnel to the OpenBSD box connecting remote_net and int_net. Code:
(crap.com) wireless------internet------- OpenBSD router gateway | | | | | | laptop (int_net) (remote_net) 192.168.1.0/24 192.168.3.0/24 Code:
# /etc/ipsec.conf @ gateway (modified domainnames/srcid/dstid ofc) ike passive esp \ from 192.168.1.0/24 to 192.168.3.0/24 \ local crap.com \ srcid crap.com dstid laptop.my.domain \ psk <psk> ike passive esp \ from crap.com to 192.168.3.0/24 \ local crap.com \ srcid crap.com dstid laptop.my.domain \ psk <psk> Code:
# /etc/ipsec.conf @ laptop ike dynamic esp \ from 192.168.3.0/24 to 192.168.1.0/24 \ peer crap.com \ srcid laptop.my.domain dstid crap.com \ psk <psk> ike dynamic esp \ from 192.168.3.0/24 to crap.com \ peer crap.com \ srcid laptop.my.domain dstid crap.com \ psk <psk> Code:
# /etc/pf.conf @ gateway ext_if="vr0" int_if="fxp0" int_net="192.168.1.0/24" remote_net="192.168.3.0/24" set block-policy drop set loginterface $ext_if set optimization aggressive set skip on lo match in all scrub (no-df) match out on $ext_if from $int_net nat-to ($ext_if) block in all block quick inet6 all antispoof quick for { $int_if $ext_if } pass out block on enc0 all pass in on enc0 from any to ($ext_if) keep state (if-bound) pass out on enc0 from ($ext_if) to any keep state (if-bound) pass in on enc0 from $remote_net to $int_net keep state (if-bound) pass out on enc0 from $int_net to $remote_net keep state (if-bound) pass in on $ext_if inet proto udp from any to ($ext_if) port { 500 4500 } keep state (pflow) pass in on $ext_if inet proto esp from any to ($ext_if) keep state (pflow) pass in on $int_if keep state (pflow) block in on ! lo0 proto tcp to port 6000:6010 |
|
|||
did u try disabling pf to see if the pf component is not the problem
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
isakmp to ipsec | badguy | OpenBSD Security | 3 | 17th November 2010 10:52 PM |
Need Help Please About IPsec | wong_baru | FreeBSD Security | 2 | 21st June 2010 08:00 AM |
connect to an other site using ipsec-nat | wesley | OpenBSD Security | 30 | 23rd September 2009 09:41 AM |
ipsec with client nat | sicute | OpenBSD General | 0 | 30th October 2008 05:39 PM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |