[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Basic VPN and routing question



Hi,

my basic question is related to Ipsec with manual keying
(aka setup using ipsecadm - just for learning...):

When packets targeted for the peer LAN arrive on the receiving Ipsec peer
(i.e. ESP encap on external IF and decrypted packets
dropping in from the enc0 IF), what mechanism is responsible
for relaying to the LAN behind the IPSEC peer:
Just plain forwarding? Or do I need an additional manual route?

Packet are not dropped by pf!

Command output see below.

Any kind of help would be appreciated

Thanks!

Axel Wagner

--

External IF:

saruman# tcpdump -ni xl0 ip proto 50
10:02:25.393482 esp 193.175.244.183 > 193.175.244.184 spi 0x00001000 seq
276 len 116 (DF)

saruman# tcpdump -ni enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0
10:02:29.393180 (authentic,confidential): SPI 0x00001000: 192.168.50.2 >
192.168.150.2: icmp: echo request (DF) (encap)

saruman# sysctl -a | grep forward
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=0

saruman# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu 
Interface
default            193.175.244.1      UGS         1    13534      -   xl0
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          2      245  33224   lo0
192.168.150/24     link#2             UC          1        0      -   vr0
192.168.150.1      0:50:ba:2c:2b:5    UHLc        0        2      -   lo0
192.168.150.2      0:80:48:14:d6:98   UHLc        0        3      -   vr0
193.175.244/24     link#1             UC          3        0      -   xl0
193.175.244.1      0:d0:97:c3:f8:0    UHLc        1        1      -   xl0
193.175.244.3      0:af:20:0:1:7      UHLc        0     1086      -   xl0
193.175.244.183    0:50:ba:2c:14:bb   UHLc        0       53      -   xl0
193.175.244.184    127.0.0.1          UGHS        0        0  33224   lo0
224/4              127.0.0.1          URS         0        0  33224   lo0

...

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
192.168.50/24      0     192.168.150/24     0     0    
193.175.244.183/50/require/in
192.168.50/24      0     193.175.244.184/32 0     0    
193.175.244.183/50/require/in
193.175.244.183/32 0     192.168.150/24     0     0    
193.175.244.183/50/require/in
193.175.244.184/32 0     193.175.244.183/32 0     0    
193.175.244.183/50/require/in
192.168.150/24     0     192.168.50/24      0     0    
193.175.244.183/50/require/out
192.168.150/24     0     193.175.244.183/32 0     0    
193.175.244.183/50/require/out
193.175.244.183/32 0     193.175.244.184/32 0     0    
193.175.244.183/50/require/out
193.175.244.184/32 0     192.168.50/24      0     0    
193.175.244.183/50/require/out


-- 
Axel Wagner
Julius-Konegenstr. 19 - 38114 Braunschweig
Tel: 0531/2502642 - eMail: axel_(_at_)_axel_(_dot_)_org



Visit your host, monkey.org