On 2019-01-10, Daniel Ouellet <dan...@presscom.net> wrote: > I have two separate subnets (on different interfaces) on a router. I am > trying to tunnel both subnets over the internet to another router on my > network. I can tunnel one subnet easily and everything works as > expected, but when I tunnel the 2nd subnet, then traffic from one local > subnet is no longer forwarded to the other subnet, but is > unconditionally sent into the ipsec tunnel, bypassing the routing table.
OpenBSD's implementation of ipsec doesn't use the routing table, if you want that (unless you make code changes) you will need to use a different tunnel interface (gif or others) and just use ipsec to protect the gif traffic. > Traffic flows between the two subnets as expected when iked is disabled. > > I thought I should be able to use config like this: > > ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com > ikev2 "Flow" active \ > from re1 to tunnel.realconnect.com \ > from re1 to stats.realconnect.com \ > from 66.63.44.66 to 0.0.0.0/0 \ > from 66.63.44.67 to 66.63.0.0/18 \ > from 66.63.44.67 to christine-home.realconnect.com \ > from home.ouellet.us to 0.0.0.0/0 \ > from 66.63.44.96/27 to 0.0.0.0/0 \ > peer tunnel.realconnect.com > > but then I get the problem described above, where traffic stops flowing > between the local subnets - machines on subnet 66.63.44.96/27 (behind > re1) cannot talk to machines on 66.63.44.64/27 (behind re1) - the > traffic is unconditionally sent to enc0 instead. > > To get this to work, I've had to configure each flow to cover the entire > ipv4 space except for the two local subnets. This gets even uglier, > because doing so results in lines which are apparently too long to > parse, and iked refuses to start unless I break it into multiple smaller > flows. Sounds like you want bypass flows for 66.63.44.96/27 <> 66.63.44.64/27. IIRC you can still use ipsecctl/ipsec.conf to configure them even with iked running (the only bypass flows iked will add itself are the automatic "mess with v6 traffic" ones, there's no iked.conf way to do this flexibly).
