SADB entries are not normal routing table entries, they take priority. if you want traditional routing semantics rather than the IMHO insane ipsec semantics, use gif/gre tunnels and encrypt the tunnel traffic.
if you want to stick with the SAs then you'll need a bypass flow, something like this: flow from 172.22/16 to 172.22/16 type bypass On 2009-09-19, Toni Mueller <[email protected]> wrote: > Hi, > > On Fri, 18.09.2009 at 17:05:51 -0700, Lordsporkton <[email protected]> > wrote: >> Could you send us some actual details? Interface configs, ipsec.conf, >> pf.conf, output of route show, maybe a little network diagram? anything >> so that we actually know what is doing on? > > this is one instance of this problem, with some IP numbers mangled: > > > $ ifconfig > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204 > priority: 0 > groups: lo > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 44:4d:50:09:12:37 > priority: 0 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 172.22.0.3 netmask 0xffff0000 broadcast 172.22.255.255 > inet6 fe80::464d:50ff:fe09:1237%rl0 prefixlen 64 scopeid 0x1 > rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 44:40:50:54:44:e5 > priority: 0 > groups: egress > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 1.2.3.10 netmask 0xfffffffc broadcast 1.2.3.11 > inet6 fe80::4640:50ff:fe54:44e5%rl1 prefixlen 64 scopeid 0x2 > enc0: flags=41<UP,RUNNING> mtu 1536 > priority: 0 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204 > priority: 0 > groups: pflog > > $ netstat -rnf inet > Routing tables > > Internet: > Destination Gateway Flags Refs Use Mtu Prio Iface > default 1.2.3.9 UGS 8 989944 - 8 rl1 > 1.2.3.8/30 link#2 UC 1 0 - 4 rl1 > 1.2.3.9 00:1e:f7:dd:e3:7f UHLc 1 0 - 4 rl1 > 127/8 127.0.0.1 UGRS 0 0 33204 8 lo0 > 127.0.0.1 127.0.0.1 UH 2 1236 33204 4 lo0 > 172.22/16 link#1 UC 4 0 - 4 rl0 > 172.22.0.1/32 link#1 UC 0 0 - 4 rl0 > 172.22.10.2 link#1 UHLc 0 2 - 4 rl0 > 172.22.20.1 00:0c:29:3a:70:b0 UHLc 0 39885 - 4 rl0 > 172.22.20.10 00:15:17:bc:67:e4 UHLc 0 105415 - 4 rl0 > 172.22.101.4 00:1a:e8:07:96:6b UHLc 0 134 - 4 rl0 > 224/4 127.0.0.1 URS 0 0 33204 8 lo0 > > $ netstat -rnf encap > Routing tables > > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > default 0 172.22/16 0 0 5.5.5.5/esp/use/in > 172.22/16 0 default 0 0 > 5.5.5.5/esp/require/out > > $ route -n get 172.22.10.2 > route to: 172.22.10.2 > destination: 172.22.0.0 > mask: 255.255.0.0 > interface: rl0 > if address: 172.22.0.3 > priority: 4 (connected) > flags: <UP,DONE,CLONING> > use mtu expire > 0 0 -336647 > > > $ ping -q -c 10 172.22.10.2 > PING 172.22.10.2 (172.22.10.2): 56 data bytes > --- 172.22.10.2 ping statistics --- > 10 packets transmitted, 0 packets received, 100.0% packet loss > > # tcpdump -lni enc0 |grep -F icmp > tcpdump: listening on enc0, link-type ENC > 15:02:32.466598 (authentic,confidential): SPI 0x5152c74d: 172.22.0.3 > > 172.22.10.2: icmp: echo request (encap) > 15:02:32.529019 (authentic,confidential): SPI 0x4c36c8fb: 172.22.0.3 > > 172.22.10.2: icmp: echo request (encap) > 15:02:33.467128 (authentic,confidential): SPI 0x5152c74d: 172.22.0.3 > > 172.22.10.2: icmp: echo request (encap) > 15:02:33.530162 (authentic,confidential): SPI 0x4c36c8fb: 172.22.0.3 > > 172.22.10.2: icmp: echo request (encap) > 15:02:34.477035 (authentic,confidential): SPI 0x5152c74d: 172.22.0.3 > > 172.22.10.2: icmp: echo request (encap) > > > The pf rules are mostly saying that all traffic within the private > networks should be passed, and none of them should go out to the > Internet. The interface config files are also very much straightforward. > Example (rl0): > > # cat /etc/hostname.rl0 > inet 172.22.0.3 255.255.0.0 172.22.255.255 > > > What can be seen in the tcpdump output, is that traffic goes out > to enc0, and thus out to the WAN side of things, when "route get" > indicated that quite the opposite should happen. > > > > Kind regards, > --Toni++
