I have a roadwarrior client with traffic to 0.0.0.0/0 going
through a remote gateway. I would like to also send _some_
traffic to a more specific, different host.
However, traffic to that more spefic host always tries to
use the remote gateway's SPI. In other words, once I say
"0.0.0.0/0," I can't ever specify a different gateway for
some other traffic.
-- begin /etc/iked.conf:
# roadwarrior's iked.conf:
remote_gw = "insert remote gw IP here"
roadwarrior ="192.168.100.2" # on 192.168.100.0/24
othermachine = "172.16.0.15" # on 172.16.0.0/24
ikev2 'roadwarrior' active esp from $roadwarrior to \
0.0.0.0/0 peer $remote_gw srcid $roadwarrior \
dstid $remote_gw
ikev2 active esp from $roadwarrior to $othermachine local \
$roadwarrior peer $othermachine \ srcid
$roadwarrior dstid $othermachine
-- end /etc/iked.conf
The problem seems to be that once I specify the 0.0.0.0/0,
I don't see a way for the policy to othermachine to become
effective. roadwarrior tries to always use the spi for
remote_gw. This make sense, of course -- othermachine is
going to match the policy and so the SA is created and the
policy doesn't need to be evaluated further. So I tried:
-- part of iked.conf:
ikev2 quick active esp from$roadwarrior to \
$othermachine local \
$roadwarrior peer $othermachine srcid \
$roadwarrior dstid $othermachine
ikev2 'roadwarrior' active esp from $roadwarrior \
to 0.0.0.0/0 \
peer $remote_gw srcid $roadwarrior dstid \
$remote_gw
-- end iked.conf
But this doesn't help. roadwarrior still tries to connect
to othermachine using remote_gw's SPI.
I can work around this by specifying every network instead
of the one for othermachine, but I'm just wondering if
there's some way to still use 0.0.0.0/0 for remote_gw
and then give more specific routes to other gateways.
(If roadwarrior and othermachine were instead on different
subnets of 10.0.0.0/8, then specifiying every network
other than 10.0.0.0/8 is a little bit more obvious than
specifying every network other than both 192.168.100.0/24
and 172.16.0.0/24).
I can also simply not use a VPN to othermachine by adding
flow from $roadwarrior to $othermachine type bypass
in /etc/ipspec.conf on roadwarrior and the corresponding
other direction in othermachine's /etc/ipsec.conf.
However, I notice that after a few hours, othermachine
seems to forget this entry if it's also running
IKEv2 connections to other machines, and that I have
to /sbin/ipsecctl -f /etc/ipsec.conf again to make it
bypass again.
All three machines are runninng -current. Here's
roadwarrior's uname -a:
OpenBSD roadwarrior.local 6.7 GENERIC.MP#175 amd64
I will try to make the network setup more clear:
roadwarrior (192.168.100.2/24) is behind internal_router
with interfaces 192.168.100.1/24 and 172.16.0.2/24.
othermachine (172.16.0.15/24) is behind firewall with
internal interface 172.16.0.1/24 and pppoe0 for DSL.
firewall and othermachine both have static routes to the
192.168.100.0/24 network.
I've tried adding a static route from roadwarrior to
othermachine just in case that might help, but nothing
changed.
Please note that othermachine can make IKEv2 connections
to other hosts on roadwarrior's subnet (192.168.100.0/24),
as long as they don't have default routes in /etc/iked.conf
going to remote_gateway.
Thank you for your help and patience!
Overall I have to say that configuring Open IKEv2 is very
easy and _just works_. Much much faster than running
web traffic using ssh -D also! I really appreciate the FAQ
on openbsd.org and all the great documentation. I know
I'm probably just missing something obvious for this particular
case, and really appreciate your help.
