[nycbug-talk] OpenBSD as a VPN device
Brian A. Seklecki
lavalamp at spiritual-machines.org
Fri Jan 11 05:29:08 EST 2008
> the what?
If you do a hub-and-spoke P2P and your organization has a say.../19 of
private IP space at the HQ and all of the facilities have a /24 or /25 of
space, your isakmpd.conf will have unequal size subnet masks.
A branch router with with this config will recieve a packet on its LAN
interface from the /24 or /25, process it, and transmit a return packet to
the LAN node.
But IPSEC is evaluated before locally connected subnets, so the packet
from the printer on the LAN will get transmitted to the /19 across the VPN
IPSEC tunnel to the HQ (which silently drops it)
Its the way the stack is designed in ip_output();
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
More information about the talk