[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: route-to enc0, ipsec
-----BEGIN PGP SIGNED MESSAGE-----
I have 3 real interfaces on my OpenBSD 3.1 box: A, B and C. I have also
setup ipsec on A interface. Default route goes thru interface C.
~ ipsec +----+
(...) -------A|OBSD|B------- net B
~ enc0 +----+
~ |~ | default route
~ |~ net C
IPSec works good, traffic goes from net B to/from (...). There are flows
defined from net B to 0.0.0.0/0 and from 0.0.0.0/0 to net B.
I want to route all traffic from interface B to virtual ipsec interface
enc0. Even traffic that goes to net C, and traffic that should go thru
default route - when it come from net B - i want it to go thru ipsec
When i put "route-to enc0:gateway" rule in pf.conf it does not work.
Packets disapear, they dont't apperar on A,B,C or enc0 interface. Even
pflog0 doesn't catch them (i log every packet after that rule). When i
put similar rule (for testing if route-to works) for interface A
("route-ro A:gateway") packets goes out thru A interface. So, i see enc0
interface is treaten is some special way.
Can someone explain me which
way packets goes in kernel? And what's the order for:
- - routing
- - aplying pf rules for incoming and later for outgoing packets
- - nat-ing incoming and outgoing packets
interface -> rdr/binat -> pf -> kernel/routing -> nat/binat -> pf ->
Now rules like "route-to" will bypass the kernel/routing stage.
- - ipsec tunneling
This is much more complicated, because your packet will go 2 or three
time through the packet filter. read IPSEC(4), ipsecadm(8) and isakmpd(8)