we have a vpn connection with a customer.
The remote peer is not under our management.
Our box is an OpenBSD 4.7 i386.
We have configured the vpn as follows:
ike active esp tunnel \
from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \
local A.B.C.D peer W.X.Y.Z \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
The vpn works fine, but there is a strange thing.
Whith "netstat -nrf encap" I see something like:
Source Port Destination Port Proto SA
192.168.71/24 0 10.1/16 0 0 W.X.Y.Z/esp/use/in
10.1/16 0 192.168.71/24 0 0 W.X.Y.Z/esp/require/out
192.168.90/24 0 default 0 0 W.X.Y.Z/esp/use/in
default 0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out
As you can see there is a flow that is not configured on our box.
It is probably configured on the remote peer.
Is a normal behavior?
How can I protect myself from an incorrect configuration on the remote
Yes. This is especially fun when you end up accidentally routing
all traffic from a 100mb-connected site down an ADSL link by getting
isakmpd.policy(5), and have some aspirin ready for the inevitable headache.