Date: Tue, 27 Dec 2016 16:31:31 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-net@freebsd.org Subject: [SOLVED] IPSec tunnel, VNET jail and routing issue Message-ID: <7BDE3BD8-FC09-413C-801C-5985C1781754@ellael.org> In-Reply-To: <B6B6461E-CC8C-43C7-A53C-F0576E5A6E5F@ellael.org> References: <B6B6461E-CC8C-43C7-A53C-F0576E5A6E5F@ellael.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Grimm <trashcan@ellael.org> wrote: Nevermind, I solved my issue. I has been a minor typo with major consequences. > Configuration (shown for hostA, only): > > setkey.conf > # hostA hostB hostA hostB > spdadd 10.1.1.0/24 10.2.2.0/24 any -P out ipsec esp/tunnel/1.2.3.4-10.20.30.40/require; Contrarily to this example line above, my real setkey.conf has had an "in" instead of "out" :-( > Achieved sofar: > > #) Allowing arpproxy_all="YES" will satisfy ARP (MACs from opposite VNET jails will become assigned). > I do not know if that is needed, but now ping from jails to the opposite jails will at least start to send ICMP packages. Now I have to state: yes, ARP proxying is mandatory in my setup. Hmm, I need to learn more about ARP. Because now I do observe a lot of lines like … | <kern.info> mike kernel: arp: proxy: ignoring request from 10.1.1.1 via epair1a … and I do not know if I do have to be concerned about those. Do I? Sorry for the noise! Regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7BDE3BD8-FC09-413C-801C-5985C1781754>