Rickard Borgmäster wrote: > I've established a tunnel between my home FreeBSD host and a corporate > OpenBSD firewall.
IPsec tunnel I assume? > I can see this at OpenBSD box: > # netstat -rn > [...] > Port Destination Port Proto SA(Address/Proto/Type/Direction) > 192.168.2/24 0 10.0.0/24 0 0 > 130.236.218.63/50/use/in 10.0.0/24 0 192.168.2/24 0 > 0 130.236.218.63/50/require/out > > However, on the FreeBSD side, netstat -rn won't show anything about > 10.0.0.0/24. Maybe Encap routes won't show in the ordinary routing table > on FreeBSD? It looks like the OpenBSD IPsec implementation integrates IPsec tunnel mode SAs with the routing table (good!) FreeBSD's KAME doesn't (yet; more recent KAME SNAPs have "device sec" which looks promising). > From either the OpenBSD or FreeBSD box, I am unable to reach the private > net behind the other IPSec node. Ie, from FreeBSD box, I cannot reach > 10.0.0.0/24. And from OpenBSD box, I cannot reach 192.168.2.0/24. I bet your boxes pick the wrong source address when you generate packets on them to go to the other net, because you don't have any interfaces configured on these nets (IPsec SAs aren't interfaces, at least on FreeBSD). Try tcpdumping and tell me what you get. Lars -- Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
smime.p7s
Description: S/MIME Cryptographic Signature
