On 2020-11-01, Axel Rau <Axel.Rau@chaos1.de> wrote:
>> Am 01.11.2020 um 02:10 schrieb Rudy Baker <rizzz2pro@gmail.com>:
>>
>> I might be off, maybe the problem was fixed in later releases but on OpenBSD 5 if I had an IPsec tunnel to a network with no actual route in the routing table for that network (and no default gateway), things wouldn't be routed through the tunnel.
> I'm not aware of any fix or official statement since 4.x
> Time to move away from OpenBSD. )-:
This is working as intended. OpenBSD's IPsec implementation only has a
"flow based" implementation (the traditional style for IPsec allowing for
configs where only certain ports/protocols are protected and not others)
not a "route based" implementation (supported as an option on some
devices but not all, this makes it easier to work with in terms of
routing, but you can't really handle VPNs only for certain ports).
If you don't want a "real" default gateway then just add a blackhole
or reject route. "route add default 127.0.0.1 -blackhole" etc.
>> I could even set up a route that led to a bogus gateway just so that there was a route to the network in the table and it would obey the tunnel. A default gateway would fix the issue too since that traffic would match that.
>>
>> So I would say make sure you have a route to the network across the tunnel or even a default gateway set. It sounds dumb since on every other os on the planet IPsec creates routes but seems on BSD, you need to have a real route defined before it falls through to the IPsec routes and sends the traffic through that.
"every other os on the planet" is most definitely incorrect.
(wireguard isn't affected by this because it only has route-based
configuration and doesn't use flows / SADB at all).
If you want ipsec to work with route table entries rather than
flows, it isn't as simple on OpenBSD as some other networking devices,
but you can setup the IPsec association between endpoints only (not
networks), and run a gif or gre tunnel on top of that. Doing this
with IPsec+gif, although setup is more complex,. there is no more
protocol overhead than tunnel-mode IPsec. (In fact the packet
format for the tunneled packets is identical).
No comments:
Post a Comment