DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th February 2017
scrummie02 scrummie02 is offline
Port Guard
 
Join Date: Nov 2011
Posts: 27
Default Can't reach local network via IPSEC

I have an OpenBSD L2TP IPSEC tunnel created and I can connect to it fine, however when I try to browse the local network I cannot. Here is my ipsec.conf file:
Code:
ike passive esp transport \
  proto udp from xx.xx.xx.xx to any port 1701 \
  main auth "hmac-sha1" enc "aes" group modp1024 \
  quick auth "hmac-sha1" enc "aes" group modp1024 \
  psk "VerySecretPassword"
Here is my pf.conf
Code:
ext_if2 = "enc0"
vpn_if = "pppx"
vpn_net = "10.0.0.0/24"

# allow esp protocol
pass in on $ext_if2 proto esp

# allow udp connections for isakmp and ipsec-nat-t
pass in on $ext_if2 proto udp to port { isakmp, ipsec-nat-t }

# allow all IPSec traffic
pass on enc0 keep state (if-bound)

# allow all trafic in the VPN network
pass on $vpn_if from $vpn_net
# allow all trafic out to the VPN network
pass on $vpn_if to $vpn_net

# nat outgoing connections over the internet interface to allow internet usage
match out on $ext_if2 from $vpn_net nat-to ($ext_if2) set prio (3,4)
It doesn't seem to allow me to browse my local network. I can connect just fine, but it doesn't seem to route my traffic to the local LAN. Is there something I'm missing?

Last edited by ocicat; 24th February 2017 at 06:03 PM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
  #2   (View Single Post)  
Old 24th February 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,937
Default

I saw your post on misc@.

I will take a wild guess - your $vpn_net pass rules are specific to your $vpn_if. You can test this by adding the log option to your block and pass rules, and then use tcpdump(8) with your pflog(4) interface.

It is just a guess. I don't have an L2TP/IPSec VPN here -- I had one years ago, and no longer have any applicable rules in my configurations.
Reply With Quote
  #3   (View Single Post)  
Old 1st March 2017
scrummie02 scrummie02 is offline
Port Guard
 
Join Date: Nov 2011
Posts: 27
Default

Quote:
Originally Posted by scrummie02 View Post
I have an OpenBSD L2TP IPSEC tunnel created and I can connect to it fine, however when I try to browse the local network I cannot. Here is my ipsec.conf file:
Code:
ike passive esp transport \
  proto udp from xx.xx.xx.xx to any port 1701 \
  main auth "hmac-sha1" enc "aes" group modp1024 \
  quick auth "hmac-sha1" enc "aes" group modp1024 \
  psk "VerySecretPassword"
Here is my pf.conf
Code:
ext_if2 = "enc0"
vpn_if = "pppx"
vpn_net = "10.0.0.0/24"

# allow esp protocol
pass in on $ext_if2 proto esp

# allow udp connections for isakmp and ipsec-nat-t
pass in on $ext_if2 proto udp to port { isakmp, ipsec-nat-t }

# allow all IPSec traffic
pass on enc0 keep state (if-bound)

# allow all trafic in the VPN network
pass on $vpn_if from $vpn_net
# allow all trafic out to the VPN network
pass on $vpn_if to $vpn_net

# nat outgoing connections over the internet interface to allow internet usage
match out on $ext_if2 from $vpn_net nat-to ($ext_if2) set prio (3,4)
It doesn't seem to allow me to browse my local network. I can connect just fine, but it doesn't seem to route my traffic to the local LAN. Is there something I'm missing?
It shows it passing but pppx0 and enc0. Traffic is going to the server but it won't leave to the local LAN.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/rc.conf.local setup and network connectiont fstef OpenBSD General 2 26th July 2015 11:12 AM
suddenly no applications reach internet, but ping does so. spermwhale_warrior OpenBSD Packages and Ports 8 20th July 2014 10:26 PM
mysql won't run via rc.local benben159 OpenBSD Packages and Ports 3 8th August 2010 02:41 PM
log from rc.conf.local and rc.local sdesilet OpenBSD General 1 21st January 2010 02:37 AM
+arplookup ###.###.##.### failed: host is not on local network starbuck FreeBSD General 3 20th May 2008 10:27 PM


All times are GMT. The time now is 07:18 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick