Problem with new source address selection
Frank Behrens
frank at harz.behrens.de
Thu Nov 27 07:42:48 PST 2008
Bjoern,
thanks for your fast answer.
Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net> wrote on 27 Nov 2008 14:53:
> Yes I know that hack though I never actually used it with a loopback
> as the loopback case is *uhm* gross. You know you are telling the
> kernel to actually send the packets to yourself which so far has just
> worked more or less out of luck in my eyes.
IMHO here we see again the main problem of IPSEC. Suddenly packets
disappear in kernel, are tunneled with ipsec and appear on other end.
A gif-like device with routes instead of SPD entries would have some
advantages.
> So is your 192.168.90.0/24 on any other interface but the lo2?
> Is it the only network on that interface or are there aliases?
For this machine the simplified setup is:
- an ethernet interface for private net with address 192.168.90.1/24
and additional aliases for external addresses
- several tun devices with external and private addresses and routes
- lo0 as real loopback device with 127.0.0.1/8
- lo1 with private jail addresses
Now I want to tunnel between my 192.168.90.0/24 and a foreign
192.168.200.0/24. So I assigned 192.168.90.254/32 to lo2 and created
a static route.
> From the code down I take it that the connect(2) call happens outside
> any jail and not within a jail, right?
Yes, this is outside a jail. With jails I had no problems, every jail
has currently one ipv4 and one ipv6 address.
> Let me answer those later; in case you cannot reveal your network
> setup in public; contact me offlist.
If desired I could send you the complete interface and routing table.
But I believe you should be able to see the problem with my example
above.
Thanks for sour support,
Frank
--
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.
More information about the freebsd-net
mailing list