[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

route-to enc0, ipsec



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have 3 real interfaces on my OpenBSD 3.1 box: A, B and C. I have also
setup ipsec on A interface. Default route goes thru interface C.

~        ipsec +----+
(...) -------A|OBSD|B------- net B
~         enc0 +----+
~                C
~                |~                | default route
~                |~              net C

IPSec works good, traffic goes from net B to/from (...). There are flows
defined from net B to 0.0.0.0/0 and from 0.0.0.0/0 to net B.

My problem:

I want to route all traffic from interface B to virtual ipsec interface
enc0. Even traffic that goes to net C, and traffic that should go thru
default route - when it come from net B - i want it to go thru ipsec tunnel.
When i put "route-to enc0:gateway" rule in pf.conf it does not work.
Packets  disapear, they dont't apperar on A,B,C or enc0 interface. Even
pflog0 doesn't catch them (i log every packet after that rule). When i
put similar rule (for testing if route-to works) for interface A
("route-ro A:gateway") packets goes out thru A interface. So, i see enc0
interface is treaten is some special way. Can someone explain me which
way packets goes in kernel? And what's the order for:
- - routing
- - aplying pf rules for incoming and later for outgoing packets
- - nat-ing incoming and outgoing packets
- - ipsec tunneling

Maybe someone has similar problem?

And the last question. Is there something like policy routing (I know it
from Linux >= 2.2.x) in OpenBSD?

c0g
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6-2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAj23/8UACgkQPqmVt5WhbA+cVACfaDuPhOTEPrmdgKjfHHYhX4tO
QEsAnjYxg/jlhr7MyVu3weRGLHQaawIJ
=MNVK
-----END PGP SIGNATURE-----