PF Source routing of IPSEC tunnel ESP packets.
Tom Judge
tom at tomjudge.com
Thu Feb 8 11:36:19 UTC 2007
Hi,
I am having some problems with source routing using PF, I tried the PF
mailing list but got no responses.
The network layout is available at: http://www.tomjudge.com/tmp/tunnels.png
From the diagram Host A and B both have there default gateway set as
ISP A's router, and have a PF rule that should route traffic from ISP
B's addresses to ISP B's router. This seems to work for all traffic
except the IPSEC ESP packets which always get transmitted to the default
gateway that is set on the host. It seems that they do not pass through
the firewall or for some reason do not match the route-to rule. Can
anyone suggest a solution to this problem?
PF rule Host A: (First rule in rule set)
pass out quick on bge1 route-to ( bge1 112.0.0.1 ) inet from 112.0.0.2
to ! 112.0.0.0/27 keep state
PF rule Host B: (First rule in rule set)
pass out quick on bge1 route-to ( bge1 114.0.0.1 ) inet from 114.0.0.2
to ! 114.0.0.0/27 keep state
Thanks
Tom
More information about the freebsd-questions
mailing list