1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon
--- On Thu, 11/25/10, Andrea Parazzini <a.parazz...@sirtisistemi.net> wrote: From: Andrea Parazzini <a.parazz...@sirtisistemi.net> Subject: ipsec vpn unexpected flow To: misc@openbsd.org Date: Thursday, November 25, 2010, 2:40 PM Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags="-K -v" /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk "PRESHAREDKEY" The vpn works fine, but there is a strange thing. Whith "netstat -nrf encap" I see something like: Source Port Destination Port Proto SA 192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in 10.1/16 0 192.168.71/24 0 0 W.X.Y.Z/esp/require/out 192.168.90/24 0 default 0 0 W.X.Y.Z/esp/use/in default 0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? How can I protect myself from an incorrect configuration on the remote peer? Thanks. Regards, Andrea
