On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini < a.parazz...@sirtisistemi.net> wrote:
> Hi, > "from 10.1.0.0/16" is the network id that I would negotiate with the > remote > peer. > "(0.0.0.0/0)" is our real network, we have a lot of networks behind this > box. > We perform NAT on traffic leaving through the VPN tunnel. > > > 192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in > 10.1/16 0 192.168.71/24 0 0 W.X.Y.Z/esp/require/out > Why this flow? > I would only flows defined in the configuration files. > > Thanks > Andrea > > > On Thu, 25 Nov 2010 13:39:33 -0800 (PST), Damon Schlosser > <damons...@yahoo.com> wrote: > > 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in > > the > > tunnel?3. is nat allowed in the tunnel? 4. you may have let in more > > networks > > than you realize > > -damon > > > > --- On Thu, 11/25/10, Andrea Parazzini <a.parazz...@sirtisistemi.net> > > wrote: > > > > From: Andrea Parazzini <a.parazz...@sirtisistemi.net> > > Subject: ipsec vpn unexpected flow > > To: misc@openbsd.org > > Date: Thursday, November 25, 2010, 2:40 PM > > > > Hi, > > we have a vpn connection with a customer. > > The remote peer is not under our management. > > Our box is an OpenBSD 4.7 i386. > > We have configured the vpn as follows: > > > > /etc/rc.conf.local > > ipsec=YES > > isakmpd_flags="-K -v" > > > > /etc/ipsec.conf > > ike active esp tunnel \ > > from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ > > local A.B.C.D peer W.X.Y.Z \ > > main auth hmac-sha1 enc 3des group modp1024 \ > > quick auth hmac-sha1 enc 3des group modp1024 \ > > psk "PRESHAREDKEY" > > > > > > The vpn works fine, but there is a strange thing. > > Whith "netstat -nrf encap" I see something like: > > > > Source Port Destination Port Proto SA > > 192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in > > 10.1/16 0 192.168.71/24 0 0 W.X.Y.Z/esp/require/out > > 192.168.90/24 0 default 0 0 W.X.Y.Z/esp/use/in > > default 0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out > > > > As you can see there is a flow that is not configured on our box. > > It is probably configured on the remote peer. > > Is a normal behavior? > > How can I protect myself from an incorrect configuration on the remote > > peer? > > > > Thanks. > > > > Regards, > > Andrea > > pleas read ipsec.conf manual page agian specially "OUTGOING NETWORK ADDRESS TRANSLATION" Section. "10.1.0.0/16 (0.0.0.0/0)" means you want to nat anything from 10.1.0.0/16to 0.0.0.0/0 ! I think this is so strange .I can not understand your configuration rule. Are you sure your traffic really pass through your IPSec Tunnel. -- Gula_Gula =;=; BNF