Date: Tue, 27 Dec 2016 16:31:31 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-net@freebsd.org Subject: [SOLVED] IPSec tunnel, VNET jail and routing issue Message-ID: <7BDE3BD8-FC09-413C-801C-5985C1781754@ellael.org> In-Reply-To: <B6B6461E-CC8C-43C7-A53C-F0576E5A6E5F@ellael.org> References: <B6B6461E-CC8C-43C7-A53C-F0576E5A6E5F@ellael.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Grimm <trashcan@ellael.org> wrote: Nevermind, I solved my issue. I has been a minor typo with major = consequences. > Configuration (shown for hostA, only): >=20 > setkey.conf > # hostA hostB = hostA hostB=20 > spdadd 10.1.1.0/24 10.2.2.0/24 any -P out ipsec = esp/tunnel/1.2.3.4-10.20.30.40/require; Contrarily to this example line above, my real setkey.conf has had an = "in" instead of "out" :-(=20 > Achieved sofar: >=20 > #) Allowing arpproxy_all=3D"YES" will satisfy ARP (MACs from = opposite VNET jails will become assigned).=20 > I do not know if that is needed, but now ping from jails to = the opposite jails will at least start to send ICMP packages. Now I have to state: yes, ARP proxying is mandatory in my setup. Hmm, I need to learn more about ARP. Because now I do observe a lot of = lines like =E2=80=A6 | <kern.info> mike kernel: arp: proxy: ignoring request from = 10.1.1.1 via epair1a =E2=80=A6 and I do not know if I do have to be concerned about those. Do = I? Sorry for the noise! Regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7BDE3BD8-FC09-413C-801C-5985C1781754>