PIX <-> OpenBSD <-> OpenBSD VPN Questions

[Derrick <dmacpher_(_at_)_vfs_(_dot_)_com>]

I have site_a with a pix as the def gw for lan_a, as well as the firewall
for lan_a. site_a also has a openbsd/pf/openvpn box hanging off an
interface of the pix. site_b has a openbsd/pf/openvpn box as the def gw
and firewall. i have the openvpn connection working, to the point from
either openbsd box i can ping either the opposite endpoint of the vpn. I
believe the pix is not passing traffic/routing properly back to the vpn.

from inside site_b, a traceroute from 10.10.x.y to a machine in site_a

traceroute 172.16.x.y
traceroute to 172.16.x.y (172.16.x.y), 30 hops max, 38 byte
packets
 1  site_b_gw (10.10.x.y)  0.169 ms  0.196 ms  0.115 ms
 2  10.1.x.y (10.1.x.y)  2.233 ms  2.678 ms  2.355 ms
 3  * * *

on the site_b fw:

07:05:25.203810 10.10.x.y.33553 > 172.16.x.y.33441:  udp 10
07:05:30.198459 10.10.x.y.33553 > 172.16.x.y.33442:  udp 10

on site_a fw:

07:07:05.344460 10.10.x.y.33553 > 172.16.x.y.33448:  udp 10
07:07:10.342302 10.10.x.y.33553 > 172.16.x.y.33449:  udp 10


I've got a route on the pix saying any vpn bound traffic, is to be passed
to the interface that the site_a openbsd box is, but I don't see the
traffic comming back. maybe i applied to the wrong interface or something,
but when i try and apply it to the other interface i get told that route
exists. I *think* it's the pix, but am not 100% sure. this is a bit OT but
if someone can suggest things to be sure of on the pix that are set or not
set, as well as some commands to further debug this that would be great.