On Wed, Aug 19, 2015 at 3:15 PM, Witold Cichoń <[email protected]> wrote: >> You need a bypass flow to go with this 0.0.0.0/0 entry. > > Any advice how to do that?
Use flow bypass in ipsecadm? -- Raul On Wed, Aug 19, 2015 at 3:15 PM, Witold Cichoń <[email protected]> wrote: > I'm sorry, I missed sentence: > >> You need a bypass flow to go with this 0.0.0.0/0 entry. > > Any advice how to do that? > > > > > Stuart Henderson wrote: >> >> On 2015/08/19 18:52, Witold Cichoń wrote: >>> >>> Hello >>> >>> I use OpenBSD version 5.7. >>> I noticed a problem with the routing of the IPsec. >>> I'm trying to redirect all traffic from a private subnet >>> (192.168.127.0/24) >>> to another host. >> >> .. >>> >>> FLOWS: >>> flow esp in from 0.0.0.0/0 to 192.168.127.0/24 peer b.b.b.b type require >>> flow esp out from 192.168.127.0/24 to 0.0.0.0/0 peer b.b.b.b type require >> >> .. >> >>> I am trying to ping a host directly connected to the host A, but all >>> packets >>> are going in IPsec channel (interface enc0). I think packets should go to >>> interface rl0. >> >> OpenBSD's ipsec implementation is flow-based, not route-based. It will >> hoover up all packets matching the flow irrespective of route table >> entries directing them elsewhere (including your local connected routes). >> >> You need a bypass flow to go with this 0.0.0.0/0 entry. >> >>> In previous versions of OpenBSD the command netstat -rn showed routes >>> associated with IPsec. In version 5.7, this information was gone. Is >>> there >>> any other way to see the routes associated with IPsec? >> >> The best I think you can find at the moment is the FLOWS section >> in "ipsecctl -sa". >> >
