On 15.10.2023. 18:56, Stuart Henderson wrote:
> On 2023-10-15, [email protected] <[email protected]> wrote:
>> What is a better way to configure iked on site-obsd so that it does not
>> encapsulate local traffic on the 10.89.2.0/24 network? Obviously my
>> understanding is incorrect, so any help is appreciated.
>
> You should be able to add a bypass flow in ipsec.conf, and set ipsec=YES
> but *not* isakmpd_flags in rc.conf.local.
>
> To load manually without rebooting, ipsecctl -f /etc/ipsec.conf
>
Hi,
just to confirm what Stuart said...
I'm running firewall that routes 10.9/16 and that network needs to go
out through ipsec tunnel.
ike esp from 10.9.0.0/16 to any
beside 10.9/16 it routes other networks and because i have "10.9/16 to
any" i need to exclude traffic that originate from 10.9/16 to other
directly connected networks on that firewall ...
ipsec.conf
ike esp from 10.9.0.0/16 to any \
local X peer Y \
flow from 10.9.0.0/16 to 224.0.0.18/32 type bypass - this one is carp
flow from 10.9.0.0/16 to 10.9.0.0/16 type bypass - don't remember, but
it must be something
other directly connected network
flow from 10.9.0.0/16 to 10.8.0.0/16 type bypass
flow from 10.9.0.0/16 to 10.7.0.0/16 type bypass
ipsecctl -sa
flow esp in from 10.8.0.0/16 to 10.9.0.0/16 type bypass
flow esp in from 10.9.0.0/16 to 10.9.0.0/16 type bypass
flow esp in from 10.7.0.0/16 to 10.9.0.0/16 type bypass
flow esp out from 10.9.0.0/16 to 10.8.0.0/16 type bypass
flow esp out from 10.9.0.0/16 to 10.9.0.0/16 type bypass
flow esp out from 10.9.0.0/16 to 10.7.0.0/16 type bypass
