Hi!
I use ipsec (isakmpd with /etc/ipsec.conf and ipsecctl) on OpenBSD v.
4.9 with very vanilla configuration (in rdomain 0) and it works (the
other end is also OpenBSD but v. 4.8, same observations there). And i
use rdomains which also work.
But the strange thing is that the encap routing entries which i guess
are supposed to be in rdomain 0 also appear in others, i.e. i see same
entries when issuing
# route -n show -encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
192.168.10/24 0 10.0.7/24 0 0
10.50.96.138/esp/use/in
10.0.7/24 0 192.168.10/24 0 0
10.50.96.138/esp/require/out
# route -T 58 -n show -encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
192.168.10/24 0 10.0.7/24 0 0
10.50.96.138/esp/use/in
10.0.7/24 0 192.168.10/24 0 0
10.50.96.138/esp/require/out
Is this expected behaviour or should i consider to use something in my
configuration to supress it? Actually, i have tried to use network
behind ipsec from rdomain 58 although i believe that even in case it is
possible this access could be easely controlled with appropriate pf rules.
Imre