Re: OpenBSD IPSEC VPN question

[Chris Buechler <fw-wiz () chrisbuechler com>]

On Mon, Apr 29, 2013 at 6:39 AM, David Lang <david () lang hm> wrote:
> I'm seeing some odd reports on the rsyslog mailing list where someone is
> climing that when using an IPSEC VPN on OpenBSD they have to explicitly set
> the source IP address for all connections out from the firewall (tunnel
> endpoint) or else the connection won't go through the tunnel. The person
> reporting this is proposing modifications to rsyslog to have it force the
> local IP address for outbound connections as a work-around for this problem
>
> This sounds very wrong to me, but can anyone speak up who knows this OS?

This is true of all the BSDs with IPsec (and maybe Linux and other
*nix OSes but not sure of those). Traffic that doesn't have a specific
source IP set gets the source IP that's closest to the destination per
the routing table. IPsec doesn't have a routing table entry, traffic
follows the SPD. So it ends up getting the IP that's nearest the
default gateway, which is most always a public IP, which is most
always not going to match the IPsec SPD. Traffic only goes across the
VPN if the source IP is set to a private local IP matching the SPD.
There's an ugly work around to add a static route pointing the remote
IPsec network to the LAN IP of the box, which will make the OS source
its traffic to that remote network appropriately and not require
specifying the source IP.

Regardless, having an option of what source IP to use for rsyslog
would come in handy in cases other than this and is probably a good
idea.

Chris
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards