Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On Wed, Sep 07, 2011 at 07:25:02PM +0200, Markus Friedl wrote: > On Sat, Aug 27, 2011 at 10:20:38PM +0200, Axel Rau wrote: > > > > Am 19.07.2011 um 21:45 schrieb Markus Friedl: > > > > > All OpenBSD versions should have this problem as it's due to the way how > > > IPsec-flows are encoded in the

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

Am 07.09.2011 um 19:25 schrieb Markus Friedl: > however, i think this could help Pawel. you need to recompile > the kernel (and maybe some userland like netstat/route/ipsecctl). Seems to fix the bug. More testing this evening. Axel --- PGP-Key:29E99DD6 b +49 151 2300 9283 b computing @ chaos

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On Wed, 7 Sep 2011 22:05:42 +0100, owner-b...@openbsd.org wrote: > Am 07.09.2011 um 19:25 schrieb Markus Friedl: > > > no, that's different. you probably have to setup > > bypass flows in ipsec.conf. > I'm using isakmpd.conf and must convert to ipsec.conf to use bypass flows. No need to touch you

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

Am 07.09.2011 um 19:25 schrieb Markus Friedl: > no, that's different. you probably have to setup > bypass flows in ipsec.conf. I'm using isakmpd.conf and must convert to ipsec.conf to use bypass flows. > > however, i think this could help Pawel. you need to recompile > the kernel (and maybe some u

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On Sat, Aug 27, 2011 at 10:20:38PM +0200, Axel Rau wrote: > > Am 19.07.2011 um 21:45 schrieb Markus Friedl: > > > All OpenBSD versions should have this problem as it's due to the way how > > IPsec-flows are encoded in the routing table and I could not find and easy > > fix. > Does this explain, w

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

Am 19.07.2011 um 21:45 schrieb Markus Friedl: > All OpenBSD versions should have this problem as it's due to the way how > IPsec-flows are encoded in the routing table and I could not find and easy > fix. Does this explain, why I can't reach A from B and vice versa? In

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

I think the problem is that the flow with the most specific source-network wins Am Donnerstag, 28. Juli 2011 um 14:24 schrieb Pawel Wieleba: > On Tue, Jul 19, 2011 at 09:33:49PM +0100, Stuart Henderson wrote: > > On 2011/07/19 21:45, Markus Friedl wrote: > > > All OpenBSD versions should have

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On Tue, Jul 19, 2011 at 09:33:49PM +0100, Stuart Henderson wrote: > On 2011/07/19 21:45, Markus Friedl wrote: > > All OpenBSD versions should have this problem as it's due to the way how > > IPsec-flows are encoded in the routing table and I could not find and easy > > fix. > > The easiest fix if

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

On 2011/07/19 21:45, Markus Friedl wrote: > All OpenBSD versions should have this problem as it's due to the way how > IPsec-flows are encoded in the routing table and I could not find and easy > fix. The easiest fix if you control both ends is probably to just use gif(4) tunnels. For people who

Re: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

All OpenBSD versions should have this problem as it's due to the way how IPsec-flows are encoded in the routing table and I could not find and easy fix. On Tue, Jul 19, 2011 at 2:28 PM, Pawel Wieleba wrote: > To: gn...@openbsd.org > Subject: [ipsec routing] IP frame is sent to the wrong IPSEC p

[ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but should be routed to the network with the most narrow netmask.

To: gn...@openbsd.org Subject: [ipsec routing] IP frame is sent to the wrong IPSEC peer when using srcnat, but it should be routed to the network with the most narrow netmask. From: p.wiel...@iem.pw.edu.pl Cc: bugs@openbsd.org Reply-To: p.wiel...@iem.pw.edu.pl >Synopsis: [ipsec routing] IP f