Re: ipsec vpn unexpected flow

2010-11-28 Thread Stuart Henderson
On 2010/11/27 23:47, Andrea Parazzini wrote: > On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson> > wrote: > > isakmpd.policy(5), and have some aspirin ready for the inevitable > > headache. > > > Stuart is right. > I tried to play with isakmpd.policy and it's rather complicated. > Read

Re: ipsec vpn unexpected flow

2010-11-27 Thread Andrea Parazzini
On Thu, 11/25/10, Andrea Parazzini wrote: > Hi, > we have a vpn connection with a customer. > The remote peer is not under our management. > Our box is an OpenBSD 4.7 i386. > We have configured the vpn as follows: > > /etc/rc.conf.local > ipsec=YES > isakmpd_flags="-K -v" > > /etc/ipsec.conf > i

Re: ipsec vpn unexpected flow

2010-11-26 Thread Andrea Parazzini
On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson wrote: > On 2010-11-25, Andrea Parazzini wrote: >> As you can see there is a flow that is not configured on our box. >> It is probably configured on the remote peer. >> Is a normal behavior? > > Yes. This is especially fun when you end u

Re: ipsec vpn unexpected flow

2010-11-26 Thread Stuart Henderson
On 2010-11-25, Andrea Parazzini wrote: > As you can see there is a flow that is not configured on our box. > It is probably configured on the remote peer. > Is a normal behavior? Yes. This is especially fun when you end up accidentally routing all traffic from a 100mb-connected site down an ADSL

Re: ipsec vpn unexpected flow

2010-11-26 Thread Andrea Parazzini
On Fri, 26 Nov 2010 10:32:59 +0330, Bahador NazariFard wrote: > On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini < > a.parazz...@sirtisistemi.net> wrote: > >> Hi, >> "from 10.1.0.0/16" is the network id that I would negotiate with the >> remote >> peer. >> "(0.0.0.0/0)" is our real network, we h

Re: ipsec vpn unexpected flow

2010-11-25 Thread Bahador NazariFard
On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini < a.parazz...@sirtisistemi.net> wrote: > Hi, > "from 10.1.0.0/16" is the network id that I would negotiate with the > remote > peer. > "(0.0.0.0/0)" is our real network, we have a lot of networks behind this > box. > We perform NAT on traffic leavi

Re: ipsec vpn unexpected flow

2010-11-25 Thread Andrea Parazzini
Hi, "from 10.1.0.0/16" is the network id that I would negotiate with the remote peer. "(0.0.0.0/0)" is our real network, we have a lot of networks behind this box. We perform NAT on traffic leaving through the VPN tunnel. 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/16

Re: ipsec vpn unexpected flow

2010-11-25 Thread Damon Schlosser
1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon --- On Thu, 11/25/10, Andrea Parazzini wrote: From: Andrea Parazzini Subject: ipsec vpn unexpected flow To: misc@open