Firewall Wizards mailing list archives
Re: OpenBSD IPSEC VPN question
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 30 Apr 2013 21:29:23 -0400
It's been a while since I've done it, but Linux used to make an ipsec0 interface that was handled with the standard routing table. Possibly in *BSD you need to use a gre or gif tunnel to achieve the same thing? Paul -- President and Chairman, FluidIT Group Moderator, Firewall-Wizards http://pauldrobertson.net http://pauldrobertson.com @compuwar On Apr 30, 2013, at 20:45, Chris Buechler <fw-wiz () chrisbuechler com> [snip]
This is true of all the BSDs with IPsec (and maybe Linux and other *nix OSes but not sure of those). Traffic that doesn't have a specific source IP set gets the source IP that's closest to the destination per the routing table. IPsec doesn't have a routing table entry, traffic follows the SPD. So it ends up getting the IP that's nearest the default gateway, which is most always a public IP, which is most always not going to match the IPsec SPD. Traffic only goes across the VPN if the source IP is set to a private local IP matching the SPD. There's an ugly work around to add a static route pointing the remote IPsec network to the LAN IP of the box, which will make the OS source its traffic to that remote network appropriately and not require specifying the source IP. Regardless, having an option of what source IP to use for rsyslog would come in handy in cases other than this and is probably a good idea. Chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: OpenBSD IPSEC VPN question Chris Buechler (Apr 30)
- Re: OpenBSD IPSEC VPN question Paul D. Robertson (Apr 30)
- Re: OpenBSD IPSEC VPN question Chris Buechler (Apr 30)
- Re: OpenBSD IPSEC VPN question Paul D. Robertson (Apr 30)