Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On Wed, Sep 07, 2011 at 07:25:02PM +0200, Markus Friedl wrote: On Sat, Aug 27, 2011 at 10:20:38PM +0200, Axel Rau wrote: Am 19.07.2011 um 21:45 schrieb Markus Friedl: All OpenBSD versions should have this problem as it's due to the way how IPsec-flows are encoded in the routing

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

Am 07.09.2011 um 19:25 schrieb Markus Friedl: however, i think this could help Pawel. you need to recompile the kernel (and maybe some userland like netstat/route/ipsecctl). Seems to fix the bug. More testing this evening. Axel --- PGP-Key:29E99DD6 b +49 151 2300 9283 b computing @ chaos

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On Wed, 7 Sep 2011 22:05:42 +0100, owner-b...@openbsd.org wrote: Am 07.09.2011 um 19:25 schrieb Markus Friedl: no, that's different. you probably have to setup bypass flows in ipsec.conf. I'm using isakmpd.conf and must convert to ipsec.conf to use bypass flows. No need to touch your

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On Sat, Aug 27, 2011 at 10:20:38PM +0200, Axel Rau wrote: Am 19.07.2011 um 21:45 schrieb Markus Friedl: All OpenBSD versions should have this problem as it's due to the way how IPsec-flows are encoded in the routing table and I could not find and easy fix. Does this explain, why I

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

Am 19.07.2011 um 21:45 schrieb Markus Friedl: All OpenBSD versions should have this problem as it's due to the way how IPsec-flows are encoded in the routing table and I could not find and easy fix. Does this explain, why I can't reach A from B and vice versa?

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

I think the problem is that the flow with the most specific source-network wins Am Donnerstag, 28. Juli 2011 um 14:24 schrieb Pawel Wieleba: On Tue, Jul 19, 2011 at 09:33:49PM +0100, Stuart Henderson wrote: On 2011/07/19 21:45, Markus Friedl wrote: All OpenBSD versions should have this

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On Tue, Jul 19, 2011 at 09:33:49PM +0100, Stuart Henderson wrote: On 2011/07/19 21:45, Markus Friedl wrote: All OpenBSD versions should have this problem as it's due to the way how IPsec-flows are encoded in the routing table and I could not find and easy fix. The easiest fix if you

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On 2011/07/19 21:45, Markus Friedl wrote: All OpenBSD versions should have this problem as it's due to the way how IPsec-flows are encoded in the routing table and I could not find and easy fix. The easiest fix if you control both ends is probably to just use gif(4) tunnels. For people who