On Fri, 26 Nov 2010 10:32:59 +0330, Bahador NazariFard <[email protected]> wrote: > On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini < > [email protected]> wrote: > >> Hi, >> "from 10.1.0.0/16" is the network id that I would negotiate with the >> remote >> peer. >> "(0.0.0.0/0)" is our real network, we have a lot of networks behind this >> box. >> We perform NAT on traffic leaving through the VPN tunnel. >> >> >> 192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in >> 10.1/16 0 192.168.71/24 0 0 W.X.Y.Z/esp/require/out >> Why this flow? >> I would only flows defined in the configuration files. >> >> Thanks >> Andrea >> >> >> On Thu, 25 Nov 2010 13:39:33 -0800 (PST), Damon Schlosser >> <[email protected]> wrote: >> > 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic > in >> > the >> > tunnel?3. is nat allowed in the tunnel? 4. you may have let in more >> > networks >> > than you realize >> > -damon >> > >> > --- On Thu, 11/25/10, Andrea Parazzini <[email protected]> >> > wrote: >> > >> > From: Andrea Parazzini <[email protected]> >> > Subject: ipsec vpn unexpected flow >> > To: [email protected] >> > Date: Thursday, November 25, 2010, 2:40 PM >> > >> > Hi, >> > we have a vpn connection with a customer. >> > The remote peer is not under our management. >> > Our box is an OpenBSD 4.7 i386. >> > We have configured the vpn as follows: >> > >> > /etc/rc.conf.local >> > ipsec=YES >> > isakmpd_flags="-K -v" >> > >> > /etc/ipsec.conf >> > ike active esp tunnel \ >> > from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ >> > local A.B.C.D peer W.X.Y.Z \ >> > main auth hmac-sha1 enc 3des group modp1024 \ >> > quick auth hmac-sha1 enc 3des group modp1024 \ >> > psk "PRESHAREDKEY" >> > >> > >> > The vpn works fine, but there is a strange thing. >> > Whith "netstat -nrf encap" I see something like: >> > >> > Source Port Destination Port Proto SA >> > 192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in >> > 10.1/16 0 192.168.71/24 0 0 > W.X.Y.Z/esp/require/out >> > 192.168.90/24 0 default 0 0 W.X.Y.Z/esp/use/in >> > default 0 192.168.90/24 0 0 > W.X.Y.Z/esp/require/out >> > >> > As you can see there is a flow that is not configured on our box. >> > It is probably configured on the remote peer. >> > Is a normal behavior? >> > How can I protect myself from an incorrect configuration on the remote >> > peer? >> > >> > Thanks. >> > >> > Regards, >> > Andrea >> >> > pleas read ipsec.conf manual page agian specially "OUTGOING NETWORK > ADDRESS > TRANSLATION" Section. > "10.1.0.0/16 (0.0.0.0/0)" means you want to nat anything from > 10.1.0.0/16to > 0.0.0.0/0 ! > I think this is so strange .I can not understand your configuration rule. > Are you sure your traffic really pass through your IPSec Tunnel. >
Yes the traffic pass through the tunnel. The vpn works fine. If I understand the manual "10.1.0.0/16 (0.0.0.0/0)" means that I can perform NAT on traffic leaving through the VPN tunnel to 10.1.0.0/16 addresses. Thanks. Andrea
