Date: Thu, 08 Feb 2007 15:54:27 +0000 From: Tom Judge <tom@tomjudge.com> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF Policy routing failing to route ESP packets correctly Message-ID: <45CB47B3.6060402@tomjudge.com> In-Reply-To: <45BF6DFE.9060307@tomjudge.com> References: <45BF6DFE.9060307@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Judge wrote:
> Hi,
>
> I am having some problems getting policy routing of outbound ESP packets
> to work correctly. It seems the routing works fine for everything but
> esp packets. Is this a known bug?
>
> Tom
>
> Relevent PF rules:
>
> table <tbl.r21.s> { 100.198.71.78 , 100.198.71.66 }
>
>
> pass out quick route-to ( fxp0 100.198.71.65 ) inet from <tbl.r21.s>
> to ! 100.198.71.64/28 keep state label "RULE 21 -- "
>
Just a bump on this thread to see if anyone has any ideas about this
problem.
Here is a slightly better description of the problem.
The network layout is available at: http://www.tomjudge.com/tmp/tunnels.png
From the diagram Host A and B both have there default gateway set as
ISP A's router, and have a PF rule that should route traffic from ISP
B's addresses to ISP B's router. This seems to work for all traffic
except the IPSEC ESP packets which always get transmitted to the default
gateway that is set on the host. It seems that they do not pass through
the firewall or for some reason do not match the route-to rule. Can
anyone suggest a solution to this problem?
PF rule Host A: (First rule in rule set)
pass out quick on bge1 route-to ( bge1 112.0.0.1 ) inet from 112.0.0.2
to ! 112.0.0.0/27 keep state
PF rule Host B: (First rule in rule set)
pass out quick on bge1 route-to ( bge1 114.0.0.1 ) inet from 114.0.0.2
to ! 114.0.0.0/27 keep state
Thanks
Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45CB47B3.6060402>