Hi, I operate a VPN that has some road warriors who all get a default route attached that points them into the local VPN gateway. With names and IP numbers replaced, this looks like this:
# ipsecctl -s all FLOWS: flow esp in from 192.168.1.22 to 0.0.0.0/0 peer 1.1.1.1 srcid 5.5.5.5/32 dstid [email protected] type use flow esp out from 0.0.0.0/0 to 192.168.1.22 peer 1.1.1.1 srcid 5.5.5.5/32 dstid [email protected] type require flow esp in from 192.168.1.7 to 0.0.0.0/0 peer 2.2.2.2 srcid 5.5.5.5/32 dstid [email protected] type use flow esp out from 0.0.0.0/0 to 192.168.1.7 peer 2.2.2.2 srcid 5.5.5.5/32 dstid [email protected] type require ... SAD: esp tunnel from 1.1.1.1 to 5.5.5.5 spi 0x394587da auth hmac-sha1 enc aes-256 esp tunnel from 5.5.5.5 to 1.1.1.1 spi 0x4792a016 auth hmac-sha1 enc aes-256 esp tunnel from 2.2.2.2 to 5.5.5.5 spi 0x69dc89bb auth hmac-sha1 enc aes-256 esp tunnel from 5.5.5.5 to 2.2.2.2 spi 0xb60d9775 auth hmac-sha1 enc aes-256 ... There are other users with numbers literally one off from brokenclient@, but they all work without a hitch. Using tcpdump, I can see the broken client's traffic on enc0, but it does not leave the LAN interface. I made sure that no packet filters interfere. The only difference that I can see is that the broken client sends all his packets with TOS = 0x3, whereas the working client sends his packets without any (non-default) TOS value. Searching around, I found that this question was already raised by Martin Hedenfalk well over a year ago (http://marc.info/?l=openbsd-misc&m=121127258816047&w=2), but he got no answer. Kind regards, --Toni++
