Alguien a realizado una VPN con IPSec OpenBSD

Víctor Hugo Pasten Varas vpasten en connected.cl
Lun Jul 31 11:11:09 CLT 2006 

ejecuta un tcpdump -i pflog0 y ve si te esta rechanzando trafico...

Mensaje citado por uv negativa <uv.negativa en gmail.com>:

> Buenas a todos tengo el siguiente problemita y es que trate de configurar
> una VPN, el servidor es un OpenBSD 3.9 amd64 los archivos de configuracion
> son los siguientes el cual copie de allar.nu
>
> El servidor tiene una IP publica y una privada 192.168.1.3 y deseo que un
> cliente windows se conecte a mi, cuando corro el script en el windows
> este me funciona pero al hacer ping a una ip interna que esta comprendida
> 192.168.1.0 / 255.255.255.0 no me responde Ej. ping dedes el window a
> 192.168.1.1.
> Yo creo que tengo un error en la configuracion del pf pero no se cual es?
>
> pf.conf
>
>
> ext_if="sis0"
> int_if="sis3"
> ext_ip="200.XX.XX.XX"
>
>
> servicios_tcp = "{ ssh, smtp, domain, pop3, https, www, 2095, 2082, 5011,
> 5001, 2084, 8083, 8880, 7978 }"
> servicios_udp = "domain"
>
> set loginterface $ext_if
> set block-policy drop
>
>
> scrub in on ALL from any to any
>
>
>
>
> pass in on $ext_if proto udp from any port = 500 to $ext_ip port = 500 keep
> state
> pass in on $ext_if proto esp from any to $ext_ip keep state
>
> pass proto tcp from any to any port $servicios_tcp keep state
> pass proto udp from any to any port $servicios_udp keep state
>
> pass from any to 200.31.195.157 keep state
>
>
> isakmpd.conf
>
> #
> # PGPnet - OpenBSD isakmpd configuration file.
> #
> # This is a configuration file that will get a PGPnet (a part of PGP
> # version 6.5 and later) and OpenBSD to interoperate.
> #
> # This file works with OpenBSD 3.2 and later. In earlier versions of
> # OpenBSD you need to add a lifetime description as well.
> #
> # The only thing that needs editing is the pre shared secret
> # 'mekmitasdigoat'. The setting allows everyone who knows the correct
> # pre shared secret to connect.
> #
> # Please mail me if you have any comments or bug-reports.
> #
> # Johan Allard < johan en allard.nu>
> #
>
> # ----------------
> # Defaults section
> # ----------------
>
> [General]
> Default-phase-1-lifetime=       3600,60:86400
> Default-phase-2-lifetime=       3600,60:86400
>
> # -----------
> # Connections
> # -----------
>
> [Phase 1]
> Default=                                ISAKMP-clients
>
> [Phase 2]
> Passive-Connections=    IPsec-clients
>
> # ---------------------
> # Phase 1 peer sections
> # ---------------------
>
> [ISAKMP-clients]
> Phase=                          1
> Transport=                      udp
> Configuration=          PGP-main-mode
> Authentication=         hello-world
>
> # ----------------
> # Phase 2 sections
> # ----------------
>
> [IPsec-clients]
> Phase=                  2
> Configuration=      PGP-quick-mode
> Local-ID=               default-route
> Remote-ID=              dummy-remote
>
> # ------------------
> # Client ID sections
> # ------------------
>
> [default-route]
> ID-type=        IPV4_ADDR_SUBNET
> Network=        0.0.0.0
> Netmask=         0.0.0.0
>
> [dummy-remote]
> ID-type=        IPV4_ADDR
> Address=        0.0.0.0
>
> # ----------------------
> # Transform descriptions
> # ----------------------
> #  Some predefined section names are recognized by the daemon, voiding the
> #  need to fully specify the Main Mode transforms and Quick Mode suites,
> #  protocols and transforms.
> #
> # For Main Mode:
> #   {DES,BLF,3DES,CAST}-{MD5,SHA}[-GRP{1,2,5}][-{DSS,RSA_SIG}]
> #
> # For Quick Mode:
> #
>
QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS[-{GRP{1,2,5}}]]-SUITE
>
> # -------------------------------------------------------------------------
> # PGPnet note:
> #
> # The Transform values are the default values in PGPnet, if you change them
> # you might have to change in all your clients aswell.
> # -------------------------------------------------------------------------
>
> [PGP-main-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=  ID_PROT
> Transforms=             3DES-SHA-GRP2
>
> [PGP-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=  QUICK_MODE
> Suites=                 QM-ESP-3DES-SHA-SUITE
>
> # -----------
> # End of file
> # -----------
>
> isakmpd.policy
>
> Comment: This policy accepts ESP SAs from a remote that uses the rigth
> password.
> Authorizer: "POLICY"
> Conditions: app_domain == "IPsec policy" &&
>                 esp_present == "yes" &&
>                 esp_enc_alg != "null" -> "true";
>
>
> Config windows
>
>
> ipseccmd.exe -f 0=* -n ESP[3DES,SHA] -t ipPublicaServidor -a
> PRESHARE:"hello-world" -1s 3DES-SHA-2
> ipseccmd.exe -f *=0 -n ESP[3DES,SHA] -t ipPublicaClientewindows -a
> PRESHARE:"hello-world" -1s 3DES-SHA-2
>


Víctor Pasten V.
Redes y Servidores
vpasten en connected.cl

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Más información sobre la lista de distribución BSD