Hi,
I am currently stuck, somehow, and I do need your input. Thus, let me explain,
what I do want to achieve:
I do have two servers connected via an ipsec/tunnel ...
[A] dead:beef:1234:abcd::1 <—> dead:feed:abcd:1234::1 [B]
… which is sending all traffic destined for dead:beef:1234:abcd::/64 and
dead:feed:abcd:1234::/64 through the tunnel, and vice versa.
That did run perfectly well during the last years until I decided to give VNET
jails a try. Previously, some of my old fashioned jails got an IPv6 address
attached like dead:beef:1234:abcd:1:2::3, and I could reach that address from
the remote server without any routing/re-directing or alike, necessary. Now,
after having moved those jails to VNET jails (having those addresses bound to
their epairXXb interfaces), I cannot reach those addresses within those jails
any longer.
From my point of view and understanding this must have to do with lack of
proper routing, but I am not sure, if that is correct, thus my questions to the
experts:
1) Is my assumption correct, that my tunnel is "ending" after having passed my
firewalls at each server, *bevor* decrypting its ESP traffic into its final
destination (yes, I do have pf rules to allow for esp traffic to pass my outer
internet facing interface)?
2) If that is true, racoon has to decide where to deliver those packets,
finally?
3) If that is true, I do have an issue with routing that *cannot* be solved by
pf firewall rules, right?
4) If that is true, what do I have to look for? What am I missing? How can I
route incoming and finally decrypted traffic to its final destination within a
VNET jail?
5) Do I need to look for a completely different approach? Every hint is highly
welcome.
Thanks in advance and with kind regards,
Michael
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
