Hi,
we have a vpn connection with a customer.
The remote peer is not under our management.
Our box is an OpenBSD 4.7 i386.
We have configured the vpn as follows:

/etc/rc.conf.local
ipsec=YES
isakmpd_flags="-K -v"

/etc/ipsec.conf
ike active esp tunnel \
  from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \
  local A.B.C.D peer W.X.Y.Z \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc 3des group modp1024 \
  psk "PRESHAREDKEY"


The vpn works fine, but there is a strange thing.
Whith "netstat -nrf encap" I see something like:

Source         Port  Destination    Port  Proto  SA
192.168.71/24  0     10.1/16        0     0      W.X.Y.Z/esp/use/in
10.1/16        0     192.168.71/24  0     0      W.X.Y.Z/esp/require/out
192.168.90/24  0     default        0     0      W.X.Y.Z/esp/use/in
default        0     192.168.90/24  0     0      W.X.Y.Z/esp/require/out

As you can see there is a flow that is not configured on our box.
It is probably configured on the remote peer.
Is a normal behavior?
How can I protect myself from an incorrect configuration on the remote
peer?

Thanks.

Regards,
Andrea

[ message continues ]

Yes. This is especially fun when you end up accidentally routing
all traffic from a 100mb-connected site down an ADSL link by getting

isakmpd.policy(5), and have some aspirin ready for the inevitable headache.

[ message continues ]

On Fri, 26 Nov 2010 12:58:09 +0000 (UTC), Stuart Henderson

Thank you for your reply.
Now I have to study the manual.

Regards,
Andrea

[ message continues ]