[nycbug-talk] OpenBSD as a VPN device

Brian A. Seklecki lavalamp at spiritual-machines.org
Fri Jan 11 05:29:08 EST 2008

> the what?

If you do a hub-and-spoke P2P and your organization has a say.../19 of 
private IP space at the HQ and all of the facilities have a /24 or /25 of 
space, your isakmpd.conf will have unequal size subnet masks.

A branch router with with this config will recieve a packet on its LAN 
interface from the /24 or /25, process it, and transmit a return packet to 
the LAN node.

But IPSEC is evaluated before locally connected subnets, so the packet 
from the printer on the LAN will get transmitted to the /19 across the VPN 
IPSEC tunnel to the HQ (which silently drops it)

Its the way the stack is designed in ip_output();

 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)

More information about the talk mailing list