[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
route-to enc0, ipsec
-----BEGIN PGP SIGNED MESSAGE-----
I have 3 real interfaces on my OpenBSD 3.1 box: A, B and C. I have also
setup ipsec on A interface. Default route goes thru interface C.
~ ipsec +----+
(...) -------A|OBSD|B------- net B
~ enc0 +----+
~ |~ | default route
~ |~ net C
IPSec works good, traffic goes from net B to/from (...). There are flows
defined from net B to 0.0.0.0/0 and from 0.0.0.0/0 to net B.
I want to route all traffic from interface B to virtual ipsec interface
enc0. Even traffic that goes to net C, and traffic that should go thru
default route - when it come from net B - i want it to go thru ipsec tunnel.
When i put "route-to enc0:gateway" rule in pf.conf it does not work.
Packets disapear, they dont't apperar on A,B,C or enc0 interface. Even
pflog0 doesn't catch them (i log every packet after that rule). When i
put similar rule (for testing if route-to works) for interface A
("route-ro A:gateway") packets goes out thru A interface. So, i see enc0
interface is treaten is some special way. Can someone explain me which
way packets goes in kernel? And what's the order for:
- - routing
- - aplying pf rules for incoming and later for outgoing packets
- - nat-ing incoming and outgoing packets
- - ipsec tunneling
Maybe someone has similar problem?
And the last question. Is there something like policy routing (I know it
from Linux >= 2.2.x) in OpenBSD?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6-2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----