On 20 Jul 2020, at 15:15, Stuart Henderson wrote:
Moving to bugs@:
In gmane.os.openbsd.misc, Anton Kasmov wrote:
I am using OpenBSD 6.7
iked does not respect mixing ports in the source and the destination
of
traffic selectors.
Such policy in iked.conf
ikev2 "epsilon" active \
proto tcp \
from aaaa:aaaa:aaaa::30 to bbbb:bbbb:bbbb:10::2 port 8000 \
from aaaa:aaaa:aaaa::30 port postgresql to
cccc:cccc:cccc::/48 \
from aaaa:aaaa:aaaa::30 port postgresql to
bbbb:bbbb:bbbb::/48 \
peer d.d.d
Produces wrong flows (specifying only destination port from first
selector):
flow esp in proto tcp from cccc:cccc:cccc::/48 port 8000 to
aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
require
flow esp in proto tcp from bbbb:bbbb:bbbb::/48 *port 8000* to
aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
require
flow esp in proto tcp from bbbb:bbbb:bbbb::2 *port 8000* to
aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
require
flow esp out proto tcp from aaaa:aaaa:aaaa::30 to cccc:cccc:cccc::/48
port
8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48
*port
8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
flow esp out proto tcp from 2a04:5200:fff5::30 to
fdd3:d128:dc2d:10::2 *port
8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
Actually whatever is used as "port" on the first selector is used for
all
other selectors; if there is no port on the first selector, no port is
used
for any others.
I had a look but I think it's beyond my yacc skills.
I reported the same bug in the beginning of 2019. Thread at
https://marc.info/?t=155091934700001&r=1&w=2. I stopped using a VPN
solution,
but if I had to set up one today I would probably have a look at
Wireguard.
