[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

more ipsec questions



Ok, I'm starting to understand some of these openbsdism
a little more, but I have some questions still.

Example net:

                     IPSEC
       WEST----[gw1]========[gw2]----EAST

What are the conditions in the isakmpd config that I do
not need to set up flows manually?

To route WEST to EAST at gw1 through the tunnel it appears
I need:
    - flow out WEST to EAST 
    - flow in EAST to WEST
    - route for EAST pointing to gw2
correct?

If the tunnel was established between gw1 and gw2 and
set up to route WEST<->EAST traffic over it, and gw1 and
gw2 tried to ping each other, will this also use the
ipsec tunnel?  It appears not.  What is required here
to set that up?  Just add more flows?  Augment the
isakmpd.conf?

In my case, it appears that without adding any more flows,
my gw1 will send out a plaintext "ping".  My gw2 (which
is not running openbsd) will send back the PONG in an ESP
packet.  If I set up flows for gw1 to gw2, gw1 sends out
ESP encapsulated packets but I get no reply.  If gw2 tries
to ping gw1, gw2 sends my openbsd box an ESP encapsulated
ping, and my gw1 sends back a plaintext PONG.


NOTE:
I noticed that flows are listed in netstat -rn output,
I dont remember reading this anywhere, but it has helped
immensely.  Perhaps this should be documented.


Tim N.