Hi list,
I have a firewall using the - very elegant - ipsec.conf to build tunnels
to various Cisco's, Watchguards and other OpenBSD machines. My
/etc/ipsec.conf is autogenerated and contains lots of:
# bla-bla.router.company.example - router for location bla-bla
ike esp from 192.168.100.0/24 to 192.168.145.0/24 peer xxx.xxx.xxx.xxx \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk "IWouldLoveTheGoatThankYouVeryMuch" tag "bla-bla.router.company.example"
To identify the packets belonging to a particular VPN we assign a tag to
each connection corresponding to its location name. Recently I had an IP
address of a location change so I modified the IP address in ipsec.conf,
carefully checked with -n and reloaded. This did not cause a new SA to
be created to the new IP address. After much head-scratching I
eventually changed the tag to something else and the tunnel was created
right away. I thought tags were just tacked onto a packet by PF to
facilitate further internal handling but apparently there is more to it
than that. Is this by design and am I missing some important point about
either ipsec.conf or tagging? (or states?) On a related note, it would
be nice to have had a -K flow switch for ipsecctl to delete specific
flows. But I imagine there is a good reason for its absence due to the
change of requiring -k to show secret keying material. IPSec on this
firewall has been absolutely rock-solid by the way, about 60 flows using
a mix of 3DES and AES. Much better than the fancy Watchguard box that it
replaced.
--
Michiel van der Kraats
