On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini <
a.parazzini@sirtisistemi.net> wrote:

quoted text
> Hi,
> "from 10.1.0.0/16" is the network id that I would negotiate with the
> remote
> peer.
> "(0.0.0.0/0)" is our real network, we have a lot of networks behind this
> box.
> We perform NAT on traffic leaving through the VPN tunnel.
>
>
> 192.168.71/24  0     10.1/16        0     0      W.X.Y.Z/esp/use/in
> 10.1/16        0     192.168.71/24  0     0      W.X.Y.Z/esp/require/out
> Why this flow?
> I would only flows defined in the configuration files.
>
> Thanks
> Andrea
>
>
> On Thu, 25 Nov 2010 13:39:33 -0800 (PST), Damon Schlosser
> <damonsbsd@yahoo.com> wrote:
> > 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in
> > the
> > tunnel?3. is nat allowed in the tunnel? 4. you may have let in more
> > networks
> > than you realize
> > -damon
> >
> > --- On Thu, 11/25/10, Andrea Parazzini <a.parazzini@sirtisistemi.net>
> > wrote:
> >
> > From: Andrea Parazzini <a.parazzini@sirtisistemi.net>
> > Subject: ipsec vpn unexpected flow
> > To: misc@openbsd.org
> > Date: Thursday, November 25, 2010, 2:40 PM
> >
> > Hi,
> > we have a vpn connection with a customer.
> > The remote peer is not under our management.
> > Our box is an OpenBSD 4.7 i386.
> > We have configured the vpn as follows:
> >
> > /etc/rc.conf.local
> > ipsec=YES
> > isakmpd_flags="-K -v"
> >
> > /etc/ipsec.conf
> > ike active esp tunnel \
> >   from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \
> >   local A.B.C.D peer W.X.Y.Z \
> >   main auth hmac-sha1 enc 3des group modp1024 \
> >   quick auth hmac-sha1 enc 3des group modp1024 \
> >   psk "PRESHAREDKEY"
> >
> >
> > The vpn works fine, but there is a strange thing.
> > Whith "netstat -nrf encap" I see something like:
> >
> > Source         Port  Destination    Port  Proto  SA
> > 192.168.71/24  0     10.1/16        0     0      W.X.Y.Z/esp/use/in
> > 10.1/16        0     192.168.71/24  0     0      W.X.Y.Z/esp/require/out
> > 192.168.90/24  0     default        0     0      W.X.Y.Z/esp/use/in
> > default        0     192.168.90/24  0     0      W.X.Y.Z/esp/require/out
> >
> > As you can see there is a flow that is not configured on our box.
> > It is probably configured on the remote peer.
> > Is a normal behavior?
> > How can I protect myself from an incorrect configuration on the remote
> > peer?
> >
> > Thanks.
> >
> > Regards,
> > Andrea
>
>
pleas read ipsec.conf manual page agian specially "OUTGOING NETWORK ADDRESS
TRANSLATION" Section.
"10.1.0.0/16 (0.0.0.0/0)" means you want to nat anything from  10.1.0.0/16to
0.0.0.0/0 !
I think this is so strange .I can not understand your configuration rule.
Are you sure your traffic really pass through your IPSec Tunnel.


-- 
Gula_Gula =;=; BNF