Hello, I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line like:
ike active esp tunnel from <my_internal_net> to <his_internal_net> peer <his_gateway_address> <main_mode_parameters> <quick_mode_parameters> <preshared_key> My isakmpd.policy file is # cat /etc/isakmpd/isakmpd.policy Keynote-version: 2 Authorizer: "POLICY" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; Every thing works fine. But today, one of the remote_gateways was replaced by a misconfigured new one, leading to the following phase-2 packet: 13:29:01.098526 <remote_gateway_ip>.500 > <my_gateway_ip>.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 70de03ee348066c9->76aabe706bed52c2 msgid: 301c68c8 len: 300 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xcb2d2b94 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = TUNNEL attribute KEY_LENGTH = 128 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 [ttl 0] (id 1, len 328) Please note that both ID parameters in this packet are 0.0.0.0. This lead to a routing entry ( made by isakmpd, I suppose ): # netstat -rn | grep his_ip default 0 default 0 0 <remote_gateway_ip>/esp/use/in default 0 default 0 0 <remote_gateway_ip>/esp/require/out This route virtually disconnected my gateway from the external and from the internal network, no ping to any address was successful. I would like to ask: 1. Is it true, that isakmpd is supposed to accept any ID parameter of type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route, even when it is the 'default' route? 2. What would I have to change to only accept those remote network Ids that are configured in ipsec.conf? Thanks