OpenBSD, vpnc and packets forwarding problems

[Tritone]

Hi,
I am building a simple router based on OpenBSD 4.5 installed on VMware Server 2.0.1 which should allow me to connect all my network hosts to a VPN.

Because the VPN is a Cisco VPN I am using vpnc 0.5.3 (which I compiled with OpenSSL support).

The connection to the VPN starts correctly and I receive all the networks present on the Cisco aggregator.

From this point I have several problems:

1) I can not ping the interface tun0 (from OpenBSD), no way, also configuring PF to pass in all and out all.

2) I can not ping hosts in the VPN (from OpenBSD and all clients on my network)

I premise that i have enabled net.inet.ip.forwarding (so set it to 1) and ATM there is no blocking rules on pf.

here is my pf.conf file

Code:

set skip on lo

EXT = "tun0"   # This is the vpnc connection
INT = "vic0"    # This is the VMware network card which is BRIDGED on the host network card
LAN_clients = "192.168.0.0/24"

nat on $EXT from $LAN_clients to any -> ($EXT)

pass in all
pass out all

There is NO firewall setted up on the VMWare Host side.

Does someone knows what wrong?

Thank you for your help

[jggimi]

Because security/vpnc is a userland implementation of IPSec, you must disable either one or two sysctls, per the installation message:

Code:

In order for vpnc to actually get any received IPsec packet, you have
to disable ESP in your kernel like this:

    sysctl net.inet.esp.enable=0

If you are behind a NAT gateway, you have to disable UDP encapsulation
as well:

    sysctl net.inet.esp.udpencap=0

This port has been discussed on the ports@ mailing list several times over the last five years:

http://marc.info/?l=openbsd-ports&w=2&r=1&s=vpnc&q=b

[Tritone]

Thank you for your help jggimi,
I already did this and from the sysctl.conf file (so from the boot), it was my fault to not tell it on my previous post, sorry.

If I do ifvonfig after vpnc get connected I see that:

Code:

tun0: flags=51<UP,POINTTOPOINT,RUNNING> mtu 1412
          priority: 0
          groups: tun
          inet 192.168.20.75 --> 192.168.20.75 netmask 0xffffffff

And that's all, no packets received or transmitted (apparently), I also launched vpnc with Debug 99 option and I saw it is parsing all the packets that comes from the Cisco aggregator.

All sounds good, but once connected... nothing works

[jggimi]

I've never used vpnc, sorry. I'm not sure if anyone *else* here has. If you don't get help within the next day or two, consider posting your question to ports@.

For that mailing list, or here, you should consider posting more information: your vpnc.conf, with any private information redacted, as well as the contents of your complete NIC configuration ($ ifconfig) and the contents of your routing table ($ route -n show -inet). Symptoms without configuration information is not necessarily helpful.

From what you've posted, all I can see is a tun0 device, configured in point-to-point mode, with both ends of the connection having the same IP address. That doesn't seem correct to me, but a quick Google of vpnc howto's shows thats the way vpnc is intended to use the tun(4) device.