On 12.3.2024. 17:11, Samuel Jayden wrote: > Dear Misc, > > I have an OpenBSD device with two interfaces: vport10 with an IP address of > 192.168.83.1/24 and vport20 with an IP address of 192.168.85.1/24. I have > configured IPSec to route all traffic from these two vport interfaces to > another point through an IPSec tunnel using the destination network > 0.0.0.0/0. > > Due to IPSec operating before kernel routing, I cannot even ping the > directly connected interfaces' IP addresses. > > I've attempted to implement route-based PF rules to solve the issue, but > unfortunately, the problem persists. > I'm looking for a solution that allows for the local traffic between these > two interfaces to bypass the IPSec tunnel, ensuring they can communicate > with each other while keeping the IPSec destination network as 0.0.0.0/0. > > Here's my IPSec configuration: > > ike active esp tunnel from { 192.168.83.0/24 192.168.85.0/24 } to { > 0.0.0.0/0 } \ > peer A.B.C.D \ > main auth hmac-md5 enc 3des group modp1024 lifetime 86400 \ > quick auth hmac-md5 enc 3des group none lifetime 43200 \ > psk "verysecret" > > Thanks in advance. >
Hi, put in ipsec.conf flow from 192.168.83.0/24 to 192.168.83.0/24 type bypass flow from 192.168.83.0/24 to 192.168.85.0/24 type bypass flow from 192.168.85.0/24 to 192.168.85.0/24 type bypass flow from 192.168.85.0/24 to 192.168.83.0/24 type bypass and if you have carp than put this also flow from 192.168.83.0/24 to 224.0.0.18/32 type bypass flow from 192.168.85.0/24 to 224.0.0.18/32 type bypass or something like that . .