On 2017-11-27, Paul Suh <[email protected]> wrote: > Note the two starred flows that are not listed in my ipsec.conf > configuration. The 172.16.0.0/16 subnet does exist on the Sonicwall end, and > I'm pretty sure that the Sonicwall is requesting that a flow be set up for > that subnet. However, I would think that my OpenBSD router would not create > that flow since it's not in my ipsec.conf. > > Any ideas why it's being created anyway? I won't be in a position to see if > the flow is really live until tomorrow morning.
ipsec.conf was added to replace config parts done in isakmpd.conf, that's all. To restrict this side of things you need to learn about keynote and write an isakmpd.policy file. (Yes, it's a pain).
