Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: OpenBSD IPSEC VPN question
From: Chris Buechler <fw-wiz () chrisbuechler com>
Date: Tue, 30 Apr 2013 19:45:12 -0500

On Mon, Apr 29, 2013 at 6:39 AM, David Lang <david () lang hm> wrote:
I'm seeing some odd reports on the rsyslog mailing list where someone is
climing that when using an IPSEC VPN on OpenBSD they have to explicitly set
the source IP address for all connections out from the firewall (tunnel
endpoint) or else the connection won't go through the tunnel. The person
reporting this is proposing modifications to rsyslog to have it force the
local IP address for outbound connections as a work-around for this problem

This sounds very wrong to me, but can anyone speak up who knows this OS?

This is true of all the BSDs with IPsec (and maybe Linux and other
*nix OSes but not sure of those). Traffic that doesn't have a specific
source IP set gets the source IP that's closest to the destination per
the routing table. IPsec doesn't have a routing table entry, traffic
follows the SPD. So it ends up getting the IP that's nearest the
default gateway, which is most always a public IP, which is most
always not going to match the IPsec SPD. Traffic only goes across the
VPN if the source IP is set to a private local IP matching the SPD.
There's an ugly work around to add a static route pointing the remote
IPsec network to the LAN IP of the box, which will make the OS source
its traffic to that remote network appropriately and not require
specifying the source IP.

Regardless, having an option of what source IP to use for rsyslog
would come in handy in cases other than this and is probably a good

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]