Am 25.07.2017 um 10:22 schrieb Andrey V. Elsukov:
ICMP request should be matched by outbound IPsec policy. Looking to your
tcpdump, you use tunnel IPsec mode. So, how this should work:
* 10.26.2.N sends ICMP request to 10.24.66.25
* 10.26.1.1 handles it by tunnel mode IPsec security policy, something like:
spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \
esp/tunnel/213.244.192.191-81.24.74.3/require;
* IPsec code does lookup for IPsec SA and uses something like:
add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...;
Thanks for the detailed explaination! I only know the insights with
Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0 to
10.24.66.0.
So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done
before getting to the IPSEC process.
In Linux a packet not matching a SA would simply be dropped by kernel or
throw a "NO PROPOSAL CHOSEN" since there's no known SA for 10.26.2.0 to
10.24.66.0.
I'll try to reach out the OPNsense guys if they are willing to patch a
new kernel for me.
Thanks!
Michael
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
