Date: Thu, 1 Jan 2015 23:46:41 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Aristedes Maniatis <ari@ish.com.au> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: ipsec routing issue Message-ID: <8D8CA37C-B699-467A-A84B-85D05FE0E8B2@lists.zabbadoz.net> In-Reply-To: <54A2367D.8030600@ish.com.au> References: <54A17F33.2020708@ish.com.au> <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> <54A2367D.8030600@ish.com.au>
index | next in thread | previous in thread | raw e-mail
> On 30 Dec 2014, at 05:22 , Aristedes Maniatis <ari@ish.com.au> wrote: > > On 30/12/2014 4:23am, Bjoern A. Zeeb wrote: >> >>> On 29 Dec 2014, at 16:20 , Aristedes Maniatis <ari@ish.com.au> wrote: >>> > > >>> But how does the OS know where to send traffic to $remote_internal_address? Is that something racoon takes care of? >> >> No, there are no routes involved; your security policy deals with this. setkey -DP is your friend. You can have racoon inject the policy for you if you want, otherwise ipsec.conf is where it goes. > … > Am I right in saying that I would not get this far if setkey wasn't already correct? > > > But still I cannot ping the remote internal IP (203.29.62.129). I also notice that other addresses in the remote network except for the remote firewall itself are not sent through the tunnel. I guess I'll need to add a route for those after all. > > Are you able to suggest my next step in diagnosis. Everything seems to be working... other than traffic going into the tunnel and coming out the other side :-) Hint: not sure if you are testing from the gateway itself; if you do you might have to use a specific source address (internal) with ping/telnet/etc. Otherwise, read man setkey on the difference of “use” vs. “require” vs. “unique” for the level in the policy part. — Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8D8CA37C-B699-467A-A84B-85D05FE0E8B2>