Had the same problem with a shitty Netgear on the other end.
OpenBSD happily accepted the flow with a 0/0 from forcing all traffic to
the destination over that tunnel.
I logged in to the Netgear GUI and explicitly set the subnets to tunnel
instead of all which was selected before.
Best regards
On 11/27/2017 05:52 AM, Paul Suh wrote:
> Folks,
>
> I set up a router using 6.2-stable, and created IKEv1 tunnels using isakmpd,
> something I've done many times before. The other end is a Sonicwall NSA 4500,
> which I've used as an endpoint before as well. My ipsec.conf file is:
>
>> ike active esp \
>> from 192.168.144.0/24 \
>> to { 10.101.0.0/16, \
>> 10.102.0.0/16, \
>> 10.103.0.0/16, \
>> 10.104.0.0/16, \
>> 172.27.199.0/24 } \
>> peer [Sonicwall IP] \
>> main \
>> auth hmac-sha1 \
>> enc aes-128 \
>> group modp2048 \
>> lifetime 28800 \
>> quick \
>> auth hmac-sha1 \
>> enc aes-128 \
>> group modp2048 \
>> lifetime 28800 \
>> psk [PSK redacted]
> However, the output of ipsecctl -s flow is:
>
>> # ipsecctl -s flow
>>
>> FLOWS:
>> flow esp in from 10.104.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> flow esp out from 192.168.144.0/24 to 10.104.0.16 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type require
>> flow esp in from 10.103.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> flow esp out from 192.168.144.0/24 to 10.103.0.16 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type require
>> flow esp in from 10.102.0.16 to 192.168.144.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> flow esp out from 192.168.144.0/24 to 10.102.0.16 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type require
>> flow esp in from 10.104.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> flow esp out from 192.168.144.0/24 to 10.104.0.0/16 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type require
>> flow esp in from 10.103.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> flow esp out from 192.168.144.0/24 to 10.103.0.0/16 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type require
>> flow esp in from 10.102.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> flow esp out from 192.168.144.0/24 to 10.102.0.0/16 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type require
>> ***** flow esp in from 172.16.0.0/16 to 192.168.144.0/24 peer 65.75.99.66
>> srcid 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> ***** flow esp out from 192.168.144.0/24 to 172.16.0.0/16 peer 65.75.99.66
>> srcid 24.51.107.65/32 dstid 65.75.99.66/32 type require
>> flow esp in from 172.27.199.0/24 to 192.168.144.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> flow esp out from 192.168.144.0/24 to 172.27.199.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type require
>> flow esp in from 10.101.0.0/16 to 192.168.144.0/24 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type use
>> flow esp out from 192.168.144.0/24 to 10.101.0.0/16 peer 65.75.99.66 srcid
>> 24.51.107.65/32 dstid 65.75.99.66/32 type require
> Note the two starred flows that are not listed in my ipsec.conf
> configuration. The 172.16.0.0/16 subnet does exist on the Sonicwall end, and
> I'm pretty sure that the Sonicwall is requesting that a flow be set up for
> that subnet. However, I would think that my OpenBSD router would not create
> that flow since it's not in my ipsec.conf.
>
> Any ideas why it's being created anyway? I won't be in a position to see if
> the flow is really live until tomorrow morning.
>
>
> --Paul
>
>
>
>
