Date: Mon, 08 Dec 2008 15:57:35 -0500 From: "Eric W. Bates" <ericx@vineyard.net> To: freebsd-net@freebsd.org Subject: ipfw policy routing esp Message-ID: <493D8A3F.6040502@vineyard.net>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have a bewildering problem attempting to policy route esp traffic. We have 2 up steam internet sources: a routable T1 and a cable modem. The cable modem provides better bandwidth so while we default to the T1, we use policy routing to send some of our traffic out the cable modem. In particular we use the cable modem for all the port 80 traffic via squid. squid's source IP is the one belonging to the cable network and we have the following ipfw rule for the policy route: ${fwcmd} add 64902 fwd ${cable_gw} ip from ${net_wan3_local} to any cable_gw is the cable company's router. net_wan3_local is the cable company's IP on our external interface. This works great for all port 80 tcp traffic. To this we added some IPSec. Racoon is hanging off the same ${net_wan3_local} and the udp port 500 traffic passes in and out thru the cable interface as we hoped. The bewildering part is that while the esp traffic can demonstrably be seen to be hitting the policy route rule, those packets continue to pass out the default route to the T1 rather than being forwarded to the cable router as we want. Any thoughts? Is this a known problem? Thank you for your time. - -- Eric W. Bates ericx@vineyard.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJPYo/D1roJTQ4LlERAp//AJ9C5VFQWk0Q5iwKVD6elTItny8pLgCbB5Tn 9a3/ut3rswi7nPs10nCkk9s= =wW3o -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?493D8A3F.6040502>