On a variety of 3rd party platforms, I often establish an SA between two IPSec devices with a /16 of RFC 1918 space on one side and a /24 on the other (sometimes as much as a /19).
This "uneven" size subnet arrangement prevents the need for full-mesh in a large corporate network. It allows for hub & spoke. I remember an OpenBSD 3.6-era bug, which I was certain was PR'd and fixed, that caused this configuration to fail. On a remote branch office policy router, I have the following ENCAP family routes (below) Here's the problem: 1) Traffic sourced from the internal interface (192.168.64.1/24) for the directly connected subnet 192.168.64.0/24 is transmitted accross the tunnel in ESP 2) Traffic from the locally connected subnet reaches the interface of the internal (64.1/24), but reply packets are attempted to forward accross the tunnel instead of back out of the physical interface Routing tables # netstat -rn -rf encap Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168/16 0 192.168.64/24 0 0 206.210.89.200/esp/use/in 192.168.64/24 0 192.168/16 0 0 206.210.89.200/esp/require/out # netstat -rn -f inet Internet: Destination Gateway Flags Refs Use Mtu Interface default 71.166.xxx.xxx UGS 11 173981 - em2 71.166.245/24 link#3 UC 1 0 - em2 192.168.64/24 link#1 UC 4 0 - em0 Strange as hell.... $ sudo tcpdump -i em0 -s 256 "!port 22" $ ping 192.168.64.100 PING 192.168.64.100 (192.168.64.100): 56 data bytes [but, what is seen on another terminal] [1] sudo tcpdump -i em2 -s 256 "!port 22" 20:00:28.610672 esp xxxxx.east.verizon.net > vpncxxx.pub.collaborativefusion.com spi 0x0ACAEE17 seq 89 len 116 ICMP packets giving me the old slip-a-roo out the back door >:} -- Brian A. Seklecki <[EMAIL PROTECTED]> IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
