I'm sorry, I missed sentence:
You need a bypass flow to go with this 0.0.0.0/0 entry.
Any advice how to do that?
Stuart Henderson wrote:
On 2015/08/19 18:52, Witold Cichoń wrote:
Hello
I use OpenBSD version 5.7.
I noticed a problem with the routing of the IPsec.
I'm trying to redirect all traffic from a private subnet (192.168.127.0/24)
to another host.
..
FLOWS:
flow esp in from 0.0.0.0/0 to 192.168.127.0/24 peer b.b.b.b type require
flow esp out from 192.168.127.0/24 to 0.0.0.0/0 peer b.b.b.b type require
..
I am trying to ping a host directly connected to the host A, but all packets
are going in IPsec channel (interface enc0). I think packets should go to
interface rl0.
OpenBSD's ipsec implementation is flow-based, not route-based. It will
hoover up all packets matching the flow irrespective of route table
entries directing them elsewhere (including your local connected routes).
You need a bypass flow to go with this 0.0.0.0/0 entry.
In previous versions of OpenBSD the command netstat -rn showed routes
associated with IPsec. In version 5.7, this information was gone. Is there
any other way to see the routes associated with IPsec?
The best I think you can find at the moment is the FLOWS section
in "ipsecctl -sa".
