View Single Post
Old 7th August 2012
xeniades xeniades is offline
New User
 
Join Date: Aug 2012
Posts: 5
Default

denat, the question is more general. it does not depent on the topology.

but if you have a simple site-to-site vpn, peer A is openbsd-box, peer B is any other vpn-gateway ( call it Gw-B ). now Gw-B initiates the vpn and a tunnel is established between the two peers. with this tunnel you can send packets - for example - between the two direct connected internal networks. this is the reason of the vpn tunnel.

now the admin of Gw-B configures additional ipsec-SA and did not inform the admin of the openbsd-box. so the openbsd-box will not be changed. the result is, that the openbsd-box accepts these additional ipsec-SA and packets can be send from Gw-B to openbsd-box.
if the openbsd-box has a configured route for these packets, these packets will reach the target. this makes the admin of the openbsd-box nervous, because it is not his intention to receive such (unknown) traffic.

this scenario will happen if you do not use the isakmpd.ipsec. if you use this file, you can filter the ipsec-SAs from Gw-B and the opnbsd-box denies the requests from Gw-B. That means:

- no tunnel can be established for the "unkown" ipsec-SAs from peer B,
- therefore no need for pf. and the best is, that
- only valid ipsec-SAs are terminated on the openbsd-box
- no add burden for isakmpd.

but you have to install keynote on your openbsd-box to get this work and you should know how to use isakmpd.ipsec. it seems a little bit complicated....
but this is the reason that your solution is just a workaround. your kind of configuration did not solve the real problem. but i am sure - it will work.

i have not tested this, it is just a theoretical investigation, but i think this will point to the right way - if not, please let me know. i am still learning in openbsd.

the smarter way to get more and easier ipsec security is to use the configuration files mentioned by jggimi. i think this is more restrictive than isakmpd.conf.
Reply With Quote