[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: openbsd 3.5 kernel routing problem with isakmpd - bug ?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: openbsd 3.5 kernel routing problem with isakmpd - bug ?
- From: Thomas Boernert <tb_(_at_)_tbits_(_dot_)_net>
- Date: Wed, 15 Sep 2004 20:59:50 +0200
- Organization: TBits.net GmbH
i'm using isakmpd with isakmpd.conf.
i've found no bypass option !?
is it possible to use isakmpd.conf and ipsecadm at the same time ?
thanks for help
On Wed, 2004-09-15 at 19:48, Stephan Tesch wrote:
> Am Mittwoch 15 September 2004 18:30 schrieb Hakan Olsson:
> Hi Hakan,
> > > isakmpd tunnel
> > > 10.1.32.0/24 <-> 10.0.0.0/8
> > Since you tunnel to the entire 10 network, and this (atleast) encompasses
> > the entire 10.1.32.0/24 network, it may be that you need to use
> > "ipsecadm flow -bypass ..." to specify networks that specifically should
> > *not* be encapsulated in IPsec.
> Well, this is clearly the opposite of what is stated in the ipsec(4) manpage.
> There you can read
> " UL/R -> [X] -> PF/NAT(enc0) -> IPsec -> PF/NAT(IF) -> IF
> UL/R <-------- PF/NAT(enc0) <- IPsec -> PF/NAT(IF) <- IF
> With IF being the real interface and UL/R the Upper Layer or Routing
> code. The [X] Stage on the output path represents the point where the
> packet is matched against the IPsec flow database (SPD) to determine if
> and how the packet has to be IPsec-processed."
> I might misinterpret this, but I always thought that the routing decision is
> made before any ipsec stuff is handled. So, the routing decision should say,
> that this packet is destined for local use (or for another attached subnet,
> which would be my configuration) and NOT processed by the IPsec stack. I
> think the manpage needs some clarification on this point.
> > Experiment with -bypass. For instance,
> > "ipsecadm flow -bypass -addr 10.1.10.0/24 10.1.10.0/24"
> > will cause any traffic with SRC and DST ip within that net to be sent in
> > the clear.
> But thanks for the bypass advice. I got an really old problem solved with that
> nasty little line :-)