[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: openbsd 3.5 kernel routing problem with isakmpd - bug ?



Hi Hakan,

i'm using isakmpd with isakmpd.conf.
i've found no bypass option !?
is it possible to use isakmpd.conf and ipsecadm at the same time ?

thanks for help

-Thomas

On Wed, 2004-09-15 at 19:48, Stephan Tesch wrote:
> Am Mittwoch 15 September 2004 18:30 schrieb Hakan Olsson:
> 
> Hi Hakan,
> 
> > > isakmpd tunnel
> > > 10.1.32.0/24 <-> 10.0.0.0/8
> >
> > Since you tunnel to the entire 10 network, and this (atleast) encompasses
> > the entire 10.1.32.0/24 network, it may be that you need to use
> > "ipsecadm flow -bypass ..." to specify networks that specifically should
> > *not* be encapsulated in IPsec.
> 
> Well, this is clearly the opposite of what is stated in the ipsec(4) manpage. 
> There you can read
> 
> "         UL/R -> [X] -> PF/NAT(enc0) -> IPsec -> PF/NAT(IF) -> IF
>            UL/R <-------- PF/NAT(enc0) <- IPsec -> PF/NAT(IF) <- IF
> 
>      With IF being the real interface and UL/R the Upper Layer or Routing
>      code.  The [X] Stage on the output path represents the point where the
>      packet is matched against the IPsec flow database (SPD) to determine if
>      and how the packet has to be IPsec-processed."
> 
> I might misinterpret this, but I always thought that the routing decision is 
> made before any ipsec stuff is handled. So, the routing decision should say, 
> that this packet is destined for local use (or for another attached subnet, 
> which would be my configuration) and NOT processed by the IPsec stack. I 
> think the manpage needs some clarification on this point.
> 
> > Experiment with -bypass. For instance,
> >    "ipsecadm flow -bypass -addr 10.1.10.0/24 10.1.10.0/24"
> > will cause any traffic with SRC and DST ip within that net to be sent in
> > the clear.
> 
> But thanks for the bypass advice. I got an really old problem solved with that 
> nasty little line :-)



Visit your host, monkey.org