On 2015/08/19 18:52, Witold Cichoń wrote: > Hello > > I use OpenBSD version 5.7. > I noticed a problem with the routing of the IPsec. > I'm trying to redirect all traffic from a private subnet (192.168.127.0/24) > to another host. .. > FLOWS: > flow esp in from 0.0.0.0/0 to 192.168.127.0/24 peer b.b.b.b type require > flow esp out from 192.168.127.0/24 to 0.0.0.0/0 peer b.b.b.b type require ..
> I am trying to ping a host directly connected to the host A, but all packets > are going in IPsec channel (interface enc0). I think packets should go to > interface rl0. OpenBSD's ipsec implementation is flow-based, not route-based. It will hoover up all packets matching the flow irrespective of route table entries directing them elsewhere (including your local connected routes). You need a bypass flow to go with this 0.0.0.0/0 entry. > In previous versions of OpenBSD the command netstat -rn showed routes > associated with IPsec. In version 5.7, this information was gone. Is there > any other way to see the routes associated with IPsec? The best I think you can find at the moment is the FLOWS section in "ipsecctl -sa".