My apologies to everyone. This is a pf problem -- I've sorted it out. Thanks,
-Stephen- Stephen Bosch wrote: > jared r r spiegel wrote: >> On Mon, Jul 17, 2006 at 05:25:38PM -0600, Stephen Bosch wrote: >>> route add -host 192.168.0.57 -interface enc0 >>> >>> I get this response: >>> >>> route: enc0: bad address >> -interface actually takes an address: >> >> --- >> If the destination is directly reachable via an interface requiring no >> intermediary system to act as a gateway, the -interface modifier should >> be specified; the gateway given is the address of this host on the >> common >> network, indicating the interface to be used for transmission. >> --- >> >> iow, it derives the iface based on what iface the addr you give it >> lives on. >> >>> Even though a security association for the target address exists on >>> enc0. Unfortunately, the device is not passing traffic to 192.168.0.57. >>> >>> I assume I need to add a route -- but is this even necessary? >> you will need to add a route to the other end of the tunnel >> so that traffic that originates on the local endpoint destined >> for an addr matching the remote addrspec (Destination in netstat >> -rnf encap) goes over the tunnel. >> >> if traffic originates on the local host and a matching route >> is found in the inet (or inet6, i suppose) table, that route >> is taken. if you have a default route, that will catch it >> (probably undesired), so you need an inet route to make it >> match something more specific than the default route in the >> inet table. >> >> traffic traversing the host (forwarded datagrams) will match >> the ipsec flows before they get looked up against the encap >> table (if this is not literally correct, it is the behaviour >> i've observed) and thus do not need a route. > > I am talking about forwarded datagrams in this case. That's been my > experience in the past, but it's not working right now. > > I'm using a device to NAT traffic from an internal host to the private > IP address the remote IPsec peer expects on my end. > > When I ping from the internal host and do a tcpdump on the internal > interface of the IPsec device, I see that the packets have been NATted > correctly and I would expect them to be matched to the appropriate flow > and passed through to the remote internal network -- yet I get > "Destination host unreachable" from the IPsec device. I note that that > is not the same as "No route to host", but I remain suspicious. I don't > see any of my pings go out on enc0. > > Just to eliminate the obvious -- the IPsec device is forwarding other > traffic just fine, and I have other working tunnels. > > -Stephen- > > > !DSPAM:44bc7cd3248752146810636!
