Am 24.07.2017 um 19:01 schrieb Andrey V. Elsukov:
.1.1: ICMP echo reply, id 33347, seq 28416, length 8
This does not match with what I expected to see. The reply here should
be something like "10.24.66.25 > 10.26.2.N: ICMP echo reply".
It seems the problem is with ipfw_nat, that for both directions thinks
that packets are inbound and this leads to incorrect translation.
Can you modify your IPsec security policies, so outgoing packets from
10.26.2.0/24 will go through the same tunnel? Then you need to modify
nat rule:
ipfw nat 1 config ip 10.26.1.1
ipfw add 179 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0
ipfw add 179 nat 1 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0
Hi,
when I change it to
out xmit enc0
nothing happens because the packets have to math the IPSEC SA before
entering the tunnel (and enc0 I guess).
So it has to be
in recv vtnet1
to be more precise, but then it's the same result:
09:29:11.092932 (authentic,confidential): SPI 0x2478d746: IP (tos 0x0,
ttl 63, id 54367, offset 0, flags [none], proto ICMP (1), length 28, bad
cksum 4f36 (->5036)!)
10.26.1.1 > 10.24.66.25: ICMP echo request, id 48914, seq 34304,
length 8
09:29:11.101524 (authentic,confidential): SPI 0xce702ac1: IP (tos 0x0,
ttl 58, id 51185, offset 0, flags [none], proto IPIP (4), length 48)
81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 5299, offset
0, flags [none], proto ICMP (1), length 28)
10.24.66.25 > 10.26.1.1: ICMP echo reply, id 48914, seq 34304, length 8
09:29:11.101535 (authentic,confidential): SPI 0xce702ac1: IP (tos 0x0,
ttl 63, id 5299, offset 0, flags [none], proto ICMP (1), length 28)
10.26.1.1 > 10.26.1.1: ICMP echo reply, id 33409, seq 34304, length 8
Thanks,
Michael
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
