it was broken and you need to apply the patch from revision 1.161
On Tue, Aug 07, 2007 at 07:25:52PM -0700, Justin Lindberg wrote:
> I have not been able to get an Ethernet bridge over IPsec to work
> in OpenBSD 4.1. I have two machines running as NAT gateways with a
> gif tunnel between them protected by IPsec ESP. The internal
> interfaces are both bridged to the gif tunnel. I can ping either
> gateway from the other over the tunnel, but the bridges are not
> learning any MAC addresses from the gif side save that of the other
> gateway. When I try to ping a machine on one LAN from the opposite
> gateway, the ARP who-is packets from the gateway will be forwarded
> by the other gateway's bridge, but the reply packets do not seem to
> be properly sent back over the gif interface by the bridge.
>
> I noticed in the source repository the following comment in
> src/sys/net/if_bridge.c, revision 1.161
>
> make bridge(4) mark packets with M_PROTO1 if gif(4) needs to use
> etherip encapsulation; unbreaks remote ipsec bridges; ok claudio;
> additional testing Renaud Allard
>
> Is this type of bridging broken in OpenBSD 4.1, or am I missing
> something? Is there a way to make this work while I am waiting for
> 4.2? I had this exact same setup working in a previous version of
> OpenBSD. (I can't remember if it was 3.9 or 4.0.)
