Folks,
I set up a router using 6.2-stable, and created IKEv1 tunnels using isakmpd,
something I've done many times before. The other end is a Sonicwall NSA 4500,
which I've used as an endpoint before as well. My ipsec.conf file is:
> ike active esp \
> from 192.168.144.0/24 \
> to { 10.101.0.0/16, \
> 10.102.0.0/16, \
> 10.103.0.0/16, \
> 10.104.0.0/16, \
> 172.27.199.0/24 } \
> peer [Sonicwall IP] \
> main \
> auth hmac-sha1 \
> enc aes-128 \
> group modp2048 \
> lifetime 28800 \
> quick \
> auth hmac-sha1 \
> enc aes-128 \
> group modp2048 \
> lifetime 28800 \
> psk [PSK redacted]
However, the output of ipsecctl -s flow is:
> # ipsecctl -s flow
>
> FLOWS:
> flow esp in from 10.104.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.104.0.16 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.103.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.103.0.16 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.102.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.102.0.16 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.104.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.104.0.0/16 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.103.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.103.0.0/16 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.102.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.102.0.0/16 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> ***** flow esp in from 172.16.0.0/16 to 192.168.144.0/24 peer 65.75.99.66
> srcid 24.51.107.65/32 dstid 65.75.99.66/32 type use
> ***** flow esp out from 192.168.144.0/24 to 172.16.0.0/16 peer 65.75.99.66
> srcid 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 172.27.199.0/24 to 192.168.144.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 172.27.199.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> flow esp in from 10.101.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type use
> flow esp out from 192.168.144.0/24 to 10.101.0.0/16 peer 65.75.99.66 srcid
> 24.51.107.65/32 dstid 65.75.99.66/32 type require
Note the two starred flows that are not listed in my ipsec.conf configuration.
The 172.16.0.0/16 subnet does exist on the Sonicwall end, and I'm pretty sure
that the Sonicwall is requesting that a flow be set up for that subnet.
However, I would think that my OpenBSD router would not create that flow since
it's not in my ipsec.conf.
Any ideas why it's being created anyway? I won't be in a position to see if the
flow is really live until tomorrow morning.
--Paul
