routing problem with 2nd default route via ipsec

Thu, 28 Jul 2011 04:29:19 -0700 

Hi all,

I have a routing firewall, which is also a ipsec client like this:

                   ppp uplink (IPv4)
                          |
                       dc3|pppoe0
             +------------+------------+
             |            +            |dc1
             |           enc0          +----- DMZ2
             |                         |
             |                         |dc0
             |                         +----- DMZ1
             |                         |
             +------------+------------+
                          | em0
                      Intranet

DMZ2 has public address space (here named 11.222.33.128/25). Outgoing traffic
from this net should go through the ipsec tunnel.

IPv4 traffic from Intranet and DMZ1 to none-local and none 11.222.33/24 uses
default route via NAT and pppoe0 as expected.

What drives me nuts is: All traffic to  11.222.33/24 from em0 and dc1
(including
all CARP traffic from its carp2) go to enc0, like this:

11:10:19.428653 rule 18/(match) [uid 0, pid 15367] block out on enc0: \
carp 11.222.33.132 > 224.0.0.18: CARPv2-advertise 36: vhid=3 advbase=1 \
advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 59211, len 56, bad cksum 0!)


What's going on here?

route-to in pf.conf seem of no influence.


Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
11.222.33.64/26    0     172.16.9/24        0     0
111.222.111.222/esp/use/in
172.16.9/24        0     11.222.33.64/26    0     0
111.222.111.222/esp/require/out
11.222.33.16/28    0     192.168.110/24     0     0
111.222.111.222/esp/use/in
192.168.110/24     0     11.222.33.16/28    0     0
111.222.111.222/esp/require/out
default                            0     2001:a12:d:10::/60                 0
0     111.222.111.222/esp/use/in
2001:a12:d:10::/60                 0     default                            0
0     111.222.111.222/esp/require/out
default            0     11.222.33.128/25   0     0
111.222.111.222/esp/use/in
11.222.33.128/25   0     default            0     0
111.222.111.222/esp/require/out
11.222.33.64/26    0     192.168.110/24     0     0
111.222.111.222/esp/use/in
192.168.110/24     0     11.222.33.64/26    0     0
111.222.111.222/esp/require/out

root# ifconfig dc1
dc1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:80:c8:b9:04:ce
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 11.222.33.132 netmask 0xffffff80 broadcast 11.222.33.255
        inet6 fe80::280:c8ff:feb9:4ce%dc1 prefixlen 64 scopeid 0x3
        inet6 2001:a12:d:18::b prefixlen 64

carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:03
        priority: 0
        carp: MASTER carpdev dc1 vhid 3 advbase 1 advskew 0
        groups: carp
        status: master
        inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xd
        inet 11.222.33.139 netmask 0xffffff80 broadcast 11.222.33.255
        inet6 2001:a12:d:18::c prefixlen 64

This is a GENERIC snapshot from about 2011-06-08.
I have net.inet.ip.multipath=1

What am I doing wrong?
Time to start using rdomains / multiple rtables?

Axel
---
PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

Reply via email to