Re: routing problem with 2nd default route via ipsec

Sun, 31 Jul 2011 13:45:24 -0700 

IPsec flows take priority over all standard routing table entries,
it sounds like you need a bypass flow for the protocol carp traffic
if you don't want it to match your IPsec flow.


On 2011-07-28, Axel Rau <[email protected]> wrote:
> Hi all,
>
> I have a routing firewall, which is also a ipsec client like this:
>
>                    ppp uplink (IPv4)
>                           |
>                        dc3|pppoe0
>              +------------+------------+
>              |            +            |dc1
>              |           enc0          +----- DMZ2
>              |                         |
>              |                         |dc0
>              |                         +----- DMZ1
>              |                         |
>              +------------+------------+
>                           | em0
>                       Intranet
>
> DMZ2 has public address space (here named 11.222.33.128/25). Outgoing traffic
> from this net should go through the ipsec tunnel.
>
> IPv4 traffic from Intranet and DMZ1 to none-local and none 11.222.33/24 uses
> default route via NAT and pppoe0 as expected.
>
> What drives me nuts is: All traffic to  11.222.33/24 from em0 and dc1
> (including
> all CARP traffic from its carp2) go to enc0, like this:
>
> 11:10:19.428653 rule 18/(match) [uid 0, pid 15367] block out on enc0: \
> carp 11.222.33.132 > 224.0.0.18: CARPv2-advertise 36: vhid=3 advbase=1 \
> advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 59211, len 56, bad cksum 0!)
>
>
> What's going on here?
>
> route-to in pf.conf seem of no influence.
>
>
> Encap:
> Source             Port  Destination        Port  Proto > 
> SA(Address/Proto/Type/Direction)
> 11.222.33.64/26    0     172.16.9/24        0     0 > 
> 111.222.111.222/esp/use/in
> 172.16.9/24        0     11.222.33.64/26    0     0 > 
> 111.222.111.222/esp/require/out
> 11.222.33.16/28    0     192.168.110/24     0     0 > 
> 111.222.111.222/esp/use/in
> 192.168.110/24     0     11.222.33.16/28    0     0 > 
> 111.222.111.222/esp/require/out
> default                            0     2001:a12:d:10::/60                 0 
> > 0     111.222.111.222/esp/use/in
> 2001:a12:d:10::/60                 0     default                            0 
> > 0     111.222.111.222/esp/require/out
> default            0     11.222.33.128/25   0     0 > 
> 111.222.111.222/esp/use/in
> 11.222.33.128/25   0     default            0     0 > 
> 111.222.111.222/esp/require/out
> 11.222.33.64/26    0     192.168.110/24     0     0 > 
> 111.222.111.222/esp/use/in
> 192.168.110/24     0     11.222.33.64/26    0     0 > 
> 111.222.111.222/esp/require/out
>
> root# ifconfig dc1
> dc1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>         lladdr 00:80:c8:b9:04:ce
>         priority: 0
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 11.222.33.132 netmask 0xffffff80 broadcast 11.222.33.255
>         inet6 fe80::280:c8ff:feb9:4ce%dc1 prefixlen 64 scopeid 0x3
>         inet6 2001:a12:d:18::b prefixlen 64
>
> carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         lladdr 00:00:5e:00:01:03
>         priority: 0
>         carp: MASTER carpdev dc1 vhid 3 advbase 1 advskew 0
>         groups: carp
>         status: master
>         inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xd
>         inet 11.222.33.139 netmask 0xffffff80 broadcast 11.222.33.255
>         inet6 2001:a12:d:18::c prefixlen 64
>
> This is a GENERIC snapshot from about 2011-06-08.
> I have net.inet.ip.multipath=1
>
> What am I doing wrong?
> Time to start using rdomains / multiple rtables?
>
> Axel
> ---
> PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

Reply via email to