Hi, "from 10.1.0.0/16" is the network id that I would negotiate with the remote peer. "(0.0.0.0/0)" is our real network, we have a lot of networks behind this box. We perform NAT on traffic leaving through the VPN tunnel.
192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in 10.1/16 0 192.168.71/24 0 0 W.X.Y.Z/esp/require/out Why this flow? I would only flows defined in the configuration files. Thanks Andrea On Thu, 25 Nov 2010 13:39:33 -0800 (PST), Damon Schlosser <damons...@yahoo.com> wrote: > 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in > the > tunnel?3. is nat allowed in the tunnel? 4. you may have let in more > networks > than you realize > -damon > > --- On Thu, 11/25/10, Andrea Parazzini <a.parazz...@sirtisistemi.net> > wrote: > > From: Andrea Parazzini <a.parazz...@sirtisistemi.net> > Subject: ipsec vpn unexpected flow > To: misc@openbsd.org > Date: Thursday, November 25, 2010, 2:40 PM > > Hi, > we have a vpn connection with a customer. > The remote peer is not under our management. > Our box is an OpenBSD 4.7 i386. > We have configured the vpn as follows: > > /etc/rc.conf.local > ipsec=YES > isakmpd_flags="-K -v" > > /etc/ipsec.conf > ike active esp tunnel \ > from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ > local A.B.C.D peer W.X.Y.Z \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group modp1024 \ > psk "PRESHAREDKEY" > > > The vpn works fine, but there is a strange thing. > Whith "netstat -nrf encap" I see something like: > > Source Port Destination Port Proto SA > 192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in > 10.1/16 0 192.168.71/24 0 0 W.X.Y.Z/esp/require/out > 192.168.90/24 0 default 0 0 W.X.Y.Z/esp/use/in > default 0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out > > As you can see there is a flow that is not configured on our box. > It is probably configured on the remote peer. > Is a normal behavior? > How can I protect myself from an incorrect configuration on the remote > peer? > > Thanks. > > Regards, > Andrea