Firewall Wizards mailing list archives
Re: OpenBSD IPSEC VPN question
From: Chris Buechler <fw-wiz () chrisbuechler com>
Date: Tue, 30 Apr 2013 19:45:12 -0500
On Mon, Apr 29, 2013 at 6:39 AM, David Lang <david () lang hm> wrote:
I'm seeing some odd reports on the rsyslog mailing list where someone is climing that when using an IPSEC VPN on OpenBSD they have to explicitly set the source IP address for all connections out from the firewall (tunnel endpoint) or else the connection won't go through the tunnel. The person reporting this is proposing modifications to rsyslog to have it force the local IP address for outbound connections as a work-around for this problem This sounds very wrong to me, but can anyone speak up who knows this OS?
This is true of all the BSDs with IPsec (and maybe Linux and other *nix OSes but not sure of those). Traffic that doesn't have a specific source IP set gets the source IP that's closest to the destination per the routing table. IPsec doesn't have a routing table entry, traffic follows the SPD. So it ends up getting the IP that's nearest the default gateway, which is most always a public IP, which is most always not going to match the IPsec SPD. Traffic only goes across the VPN if the source IP is set to a private local IP matching the SPD. There's an ugly work around to add a static route pointing the remote IPsec network to the LAN IP of the box, which will make the OS source its traffic to that remote network appropriately and not require specifying the source IP. Regardless, having an option of what source IP to use for rsyslog would come in handy in cases other than this and is probably a good idea. Chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: OpenBSD IPSEC VPN question Chris Buechler (Apr 30)
- Re: OpenBSD IPSEC VPN question Paul D. Robertson (Apr 30)
- Re: OpenBSD IPSEC VPN question Chris Buechler (Apr 30)
- Re: OpenBSD IPSEC VPN question Paul D. Robertson (Apr 30)