Date: Fri, 12 Dec 2014 12:13:26 +0100 From: =?UTF-8?Q?G=C3=B6ran_L=C3=B6wkrantz?= <goran.lowkrantz@ismobile.com> To: freebsd-net@freebsd.org Cc: Martin Palm <martin.palm@indicate.se> Subject: IPSec and StrongSWAN result in wrong forward Message-ID: <0B86BA4B10B152ADEE1E8BEE@[172.16.2.27]>
next in thread | raw e-mail | index | archive | help
Host: 10.1-STABLE FreeBSD 10.1-STABLE #0 r275046 Sw: strongswan-5.2.0_1 Putting up an ESP tunnel between 192.168.2.0/24 and 192.168.40.8/29 over endpoints X and W. The outgoing traffic is passed through a DMZ and exists on my side through a firewall with inner address Y and outer address U. After a random time, individual hosts on the 2.0/24 net get all there traffic redirected out via X even when the src/dst do not match the SPD entries. When the packets reach Y, the firewall sends a redirect ICMP back to X. Only way to clean seems to be reboot of the gateway, as stopping StrongSWAN and flushing the SAD and SPD entries does not fix the problem. Anyone seen something like this? Can I read the actual routing used to forward the packets and see what happens? How do I interpret netstat -rW? /glz "There are no solved problems; there are only problems that are more or less solved" -- Henri Poincare
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0B86BA4B10B152ADEE1E8BEE>