Hi there
I have an OpenBSD box that is configured as firewall and vpn gateway. The box has two physical interfaces. One interface is the WAN interface that connects to the internet. The other interface connects to the LAN switch and has defined several virtual VLAN interfaces for different LAN subnets. The basic vpn configuration works. I can connect with the Greenbow vpn client from Windows host and reach the hosts on the LAN interfaces. In the Greenbow vpn client configuration I can define the subnet to which I want to tunnel to. So if I define the subnet of the vlan 2 interface in the Greenbow vpn client, I can reach the hosts that are in the vlan 2 subnet, if I define the subnet of the vlan 3 interface, I can reach the hosts that are in the vlan 3 subnet. I have no control to which subnet the vpn client has access. My isakmpd.conf looks like thist: # ---------------- # Defaults section # ---------------- [General] Default-phase-1-lifetime= 3600,60:86400 Default-phase-2-lifetime= 1200,60:86400 # ----------- # Connections # ----------- [Phase 1] Default= ISAKMP-clients [Phase 2] Passive-Connections= IPsec-clients # --------------------- # Phase 1 peer sections # --------------------- [ISAKMP-clients] Phase= 1 Transport= udp Configuration= default-main-mode Authentication= mekmitasdigoat # ---------------- # Phase 2 sections # ---------------- [IPsec-clients] Phase= 2 Configuration= default-quick-mode Local-ID= default-route Remote-ID= dummy-remote # ------------------ # Client ID sections # ------------------ [default-route] ID-type= IPV4_ADDR_SUBNET Network= 0.0.0.0 Netmask= 0.0.0.0 [dummy-remote] ID-type= IPV4_ADDR Address= 0.0.0.0 [default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES-SHA-GRP2 [default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE I have tried to change Network and Netmask in the [default-route] section from 0.0.0.0 to the network and netmask of one of the vlan subnetworks, but it does not help. I can still connect to the other subnet if I define them in the client. Anyone knows how I can restrict access to only one of the vlan subnets? Thanks, Daniel