On 2018-10-15, Sonic <[email protected]> wrote: > On Mon, Oct 15, 2018 at 5:09 PM Johan Hattne <[email protected]> wrote: >> Not sure I’m understanding your question, but is this not >> application-dependent? So for an internal interface mec0 and ssh, you could, >> >> $ ssh -B mec0 [email protected] >> >> and for ping, >> >> $ ping -I mec0 example.com > > The addresses in question are aliases of the same interface. > For example em1 might be configured with the following addresses: > 50.79.22.41 > 50.79.22.42 > 50.79.22.43 > 50.79.22.44 > 50.79.22.45 > I'm using different addresses on the same interface for different things. > In this example I have the ipsec vpn listening on 50.79.22.45 and a > similar setup on the other end - the non default address is the > listening address. Internal systems are working fine between the two > subnets, but the OpenBSD firewall itself (if I ping from it, for > example) uses the default address of 50.79.22.41 instead of > 50.79.22.45 when attempting to connect to the remote network and > therefore is not successful. I'm fairly certain if there's a way to > configure the firewall to send using the chosen alias address instead > of the default address it would work properly.
Say your IPsec tunnel is between 50.79.22.45 and 192.0.2.1, and the flow is setup between networks 192.168.55.0/24 and 192.168.99.0/24. The problem is _not_ that your source address is 50.79.22.41, because it wouldn't work with 50.79.22.45 either, you need to be using an address that is covered by the flows (say 192.168.55.1). Try "ping -I $source_ip $dest_ip" with various addresses as $source_ip and you should see better how it works. The default source address for IPv4 is the interface address for the route table entry which matches the destination. (I'll skip IPv6 for now, "it's complicated"). OpenBSD's IPsec implementation is based around "flows" which work behind the back of the routing table, so normally the relevant route for the VPN destination network is still the default (internet) route, and the relevant address is an external-facing one, which doesn't match the IPsec flow. The usual bodge around this is to have a local address within the VPN'd network on your router (which is normally the case anyway - with examples above, say 192.168.55.1) and add a route to the "other side" network e.g."route add 192.168.99.0/24 192.168.55.1" - i.e. using your *own* address as the destination).
