On 2011/07/19 21:45, Markus Friedl wrote: > All OpenBSD versions should have this problem as it's due to the way how > IPsec-flows are encoded in the routing table and I could not find and easy > fix.
The easiest fix if you control both ends is probably to just use gif(4) tunnels. For people who don't control both ends, RFC3884 IIPtran would be a way to handle this. IPsec is negotiated as for tunnel mode, but when setting things up in the kerneel, rather than adding flows to attract the traffic, you actually setup a gif(4) to handle the traffic according to the normal routing table, then transport mode is used to encrypt it - the resulting packet format is compatible with a normal client in tunnel-mode.
