On Thu, 11/25/10, Andrea Parazzini <[email protected]> wrote: > Hi, > we have a vpn connection with a customer. > The remote peer is not under our management. > Our box is an OpenBSD 4.7 i386. > We have configured the vpn as follows: > > /etc/rc.conf.local > ipsec=YES > isakmpd_flags="-K -v" > > /etc/ipsec.conf > ike active esp tunnel \ > from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ > local A.B.C.D peer W.X.Y.Z \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group modp1024 \ > psk "PRESHAREDKEY" > > > The vpn works fine, but there is a strange thing. > Whith "netstat -nrf encap" I see something like: > > Source Port Destination Port Proto SA > 192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in > 10.1/16 0 192.168.71/24 0 0 W.X.Y.Z/esp/require/out > 192.168.90/24 0 default 0 0 W.X.Y.Z/esp/use/in > default 0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out > > As you can see there is a flow that is not configured on our box. > It is probably configured on the remote peer. > Is a normal behavior? > How can I protect myself from an incorrect configuration on the remote > peer?
On Fri, 26 Nov 2010 12:58:09 +0000 (UTC), Stuart Henderson> <[email protected]> wrote: > isakmpd.policy(5), and have some aspirin ready for the inevitable > headache. Stuart is right. I tried to play with isakmpd.policy and it's rather complicated. Reading the manuals again I noticed the -a option of isakmpd. So my new configuration could be the following: /etc/rc.conf.local ipsec=YES isakmpd_flags="-a -K -v" /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk "PRESHAREDKEY" flow esp from 0.0.0.0/0 to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z It might work? What do you think? Thanks. Regards, Andrea
