[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: route-to enc0, ipsec

c0g wrote:

Hash: SHA1


I have 3 real interfaces on my OpenBSD 3.1 box: A, B and C. I have also
setup ipsec on A interface. Default route goes thru interface C.

~        ipsec +----+
(...) -------A|OBSD|B------- net B
~         enc0 +----+
~                C
~                |~                | default route
~                |~              net C

IPSec works good, traffic goes from net B to/from (...). There are flows
defined from net B to and from to net B.

My problem:

I want to route all traffic from interface B to virtual ipsec interface
enc0. Even traffic that goes to net C, and traffic that should go thru
default route - when it come from net B - i want it to go thru ipsec tunnel.
When i put "route-to enc0:gateway" rule in pf.conf it does not work.
Packets disapear, they dont't apperar on A,B,C or enc0 interface. Even
pflog0 doesn't catch them (i log every packet after that rule). When i
put similar rule (for testing if route-to works) for interface A
("route-ro A:gateway") packets goes out thru A interface. So, i see enc0
interface is treaten is some special way.


Can someone explain me which
way packets goes in kernel? And what's the order for:
- - routing
- - aplying pf rules for incoming and later for outgoing packets
- - nat-ing incoming and outgoing packets

interface -> rdr/binat -> pf -> kernel/routing -> nat/binat -> pf -> interface.
Now rules like "route-to" will bypass the kernel/routing stage.

- - ipsec tunneling

This is much more complicated, because your packet will go 2 or three time through the packet filter. read IPSEC(4), ipsecadm(8) and isakmpd(8) Cedric