On 12.3.2024. 17:11, Samuel Jayden wrote:
> Dear Misc,
>
> I have an OpenBSD device with two interfaces: vport10 with an IP address of
> 192.168.83.1/24 and vport20 with an IP address of 192.168.85.1/24. I have
> configured IPSec to route all traffic from these two vport interfaces to
> another point through an IPSec tunnel using the destination network
> 0.0.0.0/0.
>
> Due to IPSec operating before kernel routing, I cannot even ping the
> directly connected interfaces' IP addresses.
>
> I've attempted to implement route-based PF rules to solve the issue, but
> unfortunately, the problem persists.
> I'm looking for a solution that allows for the local traffic between these
> two interfaces to bypass the IPSec tunnel, ensuring they can communicate
> with each other while keeping the IPSec destination network as 0.0.0.0/0.
>
> Here's my IPSec configuration:
>
> ike active esp tunnel from { 192.168.83.0/24 192.168.85.0/24 } to {
> 0.0.0.0/0 } \
> peer A.B.C.D \
> main auth hmac-md5 enc 3des group modp1024 lifetime 86400 \
> quick auth hmac-md5 enc 3des group none lifetime 43200 \
> psk "verysecret"
>
> Thanks in advance.
>
Hi,
put in ipsec.conf
flow from 192.168.83.0/24 to 192.168.83.0/24 type bypass
flow from 192.168.83.0/24 to 192.168.85.0/24 type bypass
flow from 192.168.85.0/24 to 192.168.85.0/24 type bypass
flow from 192.168.85.0/24 to 192.168.83.0/24 type bypass
and if you have carp than put this also
flow from 192.168.83.0/24 to 224.0.0.18/32 type bypass
flow from 192.168.85.0/24 to 224.0.0.18/32 type bypass
or something like that . .
