On 2011-06-20, Marko Viitanen <[email protected]> wrote:
> Hi,
>
> I'm running an OpenBSD 4.8 firewall cluster doing ipsec and packet
> filtering. Due to customer requirements I've used IPSec outgoing network
> address translation and it does exactly what I want it to do. However
> I've come to a situation where we need access to customer's network from
> two internal networks. I added an ipsec rule identical to the working
> one with the different local net defition (se the ipsec.conf sample
> below) and discovered that only the second rule is actually applied.
You can only have one ipsec.conf rule per peer, the last one takes
effect.
> ipsecctl -vvf /etc/ipsec.conf shows that both the rules are parsed
> without errors. ipsecctl -sa shows only one flow according to the second
> rule installed and only the traffic from LocalNet2 to RemoteNetCustomer
> works. Changing the order of the rules causes again only the second rule
> (from LocalNet1 in this case) to be applied. I've found out that
> LocalNet definition only allows one network definition. Using shorter
> netmask for LocalNet would be a solution if the network numbers were
> chosen knowing this issue but for now it is not possible to combine them
> under one definition.
>
> ike esp from $LocalNetCustomer ($LocalNet1) to $RemoteNetCustomer \
> local $LocalGw peer $RemoteGw \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des group none \
> psk "XYZ"
>
> ike esp from $LocalNetCustomer ($LocalNet2) to $RemoteNetCustomer \
> local $LocalGw peer $RemoteGw \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des group none \
> psk "XYZ"
>
> I've also tried the configuration in OpenBSD 4.9 under Virtualbox with
> the same results.
>
> I wonder if this is a desired feature, bug or a configuration issue.
This is just not implemented yet. Would be handy though.
FWIW the following config style also isn't supported.
ike esp from { \
192.168.46.248 (10.15.5.0/24), \
192.168.46.248 (172.16.73.224/28) \
} to 192.168.40.0/21 peer $foo
