From owner-freebsd-net@FreeBSD.ORG Fri Dec 12 11:13:31 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ACD8FF94 for ; Fri, 12 Dec 2014 11:13:31 +0000 (UTC) Received: from mail.ismobile.com (mail.ismobile.com [IPv6:2a00:f680:101:11::4]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.ismobile.com", Issuer "GlobalSign Domain Validation CA - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 60A7D8A1 for ; Fri, 12 Dec 2014 11:13:31 +0000 (UTC) Received: from mail.ismobile.com (localhost [127.0.0.1]) by dkim.mail.ismobile.com (Postfix) with ESMTP id 44B882B54A3; Fri, 12 Dec 2014 11:13:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=ismobile.com; h=date:from :to:cc:subject:message-id:mime-version:content-type :content-transfer-encoding; s=selector1; bh=Q8R+Zr5dpfy+Hbzh2Da2 tRbK/aA=; b=MUtGH0Ouc303WoMECCyeWS7fj1cJBIAuu5x8nhPsoUprDoqZvPq7 O4GzYnvjNxj9rsUk5ghHzguZ95FXwOVYdnXa4MgBKRpjwp8gwblNg6qQR58gNM5F IH4HIiOYXrfPVwLpISJjR9G914U2469kUSJJrVzeMK7eXDzkAca9F0Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=ismobile.com; h=date:from:to :cc:subject:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=selector1; b=UVeaWA3EiSYE8u JkYxSCgcRYtcyIxOluwa/jyEDACBVSnN5wARUQ+c0YG4My0eUEBXprVnQRTlofmZ hVIV7ZY5QuPFkGfiEn6DiUM7uEQYS0GCDtAP+O0Pm+UZQWNEuw+zamZZ9vQb/W5s kCeto31i4x/TBCOvT80KKRqiQtcX0= Received: from [172.16.2.27] (glz-macbookpro.hq.ismobile.com [172.16.2.27]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.ismobile.com (Postfix) with ESMTPSA id 5E83C2B54A0; Fri, 12 Dec 2014 11:13:26 +0000 (UTC) Date: Fri, 12 Dec 2014 12:13:26 +0100 From: =?UTF-8?Q?G=C3=B6ran_L=C3=B6wkrantz?= To: freebsd-net@freebsd.org Subject: IPSec and StrongSWAN result in wrong forward Message-ID: <0B86BA4B10B152ADEE1E8BEE@[172.16.2.27]> X-Mailer: Mulberry/4.1.0a3 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline; size=918 Cc: Martin Palm X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Dec 2014 11:13:31 -0000 Host: 10.1-STABLE FreeBSD 10.1-STABLE #0 r275046 Sw: strongswan-5.2.0_1 Putting up an ESP tunnel between 192.168.2.0/24 and 192.168.40.8/29 over endpoints X and W. The outgoing traffic is passed through a DMZ and exists on my side through a firewall with inner address Y and outer address U. After a random time, individual hosts on the 2.0/24 net get all there traffic redirected out via X even when the src/dst do not match the SPD entries. When the packets reach Y, the firewall sends a redirect ICMP back to X. Only way to clean seems to be reboot of the gateway, as stopping StrongSWAN and flushing the SAD and SPD entries does not fix the problem. Anyone seen something like this? Can I read the actual routing used to forward the packets and see what happens? How do I interpret netstat -rW? /glz "There are no solved problems; there are only problems that are more or less solved" -- Henri Poincare