Hi,
I'm running an OpenBSD 4.8 firewall cluster doing ipsec and packet
filtering. Due to customer requirements I've used IPSec outgoing network
address translation and it does exactly what I want it to do. However
I've come to a situation where we need access to customer's network from
two internal networks. I added an ipsec rule identical to the working
one with the different local net defition (se the ipsec.conf sample
below) and discovered that only the second rule is actually applied.
ipsecctl -vvf /etc/ipsec.conf shows that both the rules are parsed
without errors. ipsecctl -sa shows only one flow according to the second
rule installed and only the traffic from LocalNet2 to RemoteNetCustomer
works. Changing the order of the rules causes again only the second rule
(from LocalNet1 in this case) to be applied. I've found out that
LocalNet definition only allows one network definition. Using shorter
netmask for LocalNet would be a solution if the network numbers were
chosen knowing this issue but for now it is not possible to combine them
under one definition.
ike esp from $LocalNetCustomer ($LocalNet1) to $RemoteNetCustomer \
local $LocalGw peer $RemoteGw \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "XYZ"
ike esp from $LocalNetCustomer ($LocalNet2) to $RemoteNetCustomer \
local $LocalGw peer $RemoteGw \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "XYZ"
I've also tried the configuration in OpenBSD 4.9 under Virtualbox with
the same results.
I wonder if this is a desired feature, bug or a configuration issue.
Br,
Marko
