Date: Tue, 27 Dec 2016 16:31:31 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-net@freebsd.org Subject: [SOLVED] IPSec tunnel, VNET jail and routing issue Message-ID: <7BDE3BD8-FC09-413C-801C-5985C1781754@ellael.org> In-Reply-To: <B6B6461E-CC8C-43C7-A53C-F0576E5A6E5F@ellael.org> References: <B6B6461E-CC8C-43C7-A53C-F0576E5A6E5F@ellael.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Grimm <trashcan@ellael.org> wrote:
Nevermind, I solved my issue. I has been a minor typo with major =
consequences.
> Configuration (shown for hostA, only):
>=20
> setkey.conf
> # hostA hostB =
hostA hostB=20
> spdadd 10.1.1.0/24 10.2.2.0/24 any -P out ipsec =
esp/tunnel/1.2.3.4-10.20.30.40/require;
Contrarily to this example line above, my real setkey.conf has had an =
"in" instead of "out" :-(=20
> Achieved sofar:
>=20
> #) Allowing arpproxy_all=3D"YES" will satisfy ARP (MACs from =
opposite VNET jails will become assigned).=20
> I do not know if that is needed, but now ping from jails to =
the opposite jails will at least start to send ICMP packages.
Now I have to state: yes, ARP proxying is mandatory in my setup.
Hmm, I need to learn more about ARP. Because now I do observe a lot of =
lines like =E2=80=A6
| <kern.info> mike kernel: arp: proxy: ignoring request from =
10.1.1.1 via epair1a
=E2=80=A6 and I do not know if I do have to be concerned about those. Do =
I?
Sorry for the noise!
Regards,
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7BDE3BD8-FC09-413C-801C-5985C1781754>