IPSec and StrongSWAN result in wrong forward
Göran Löwkrantz
goran.lowkrantz at ismobile.com
Fri Dec 12 11:13:31 UTC 2014
Host: 10.1-STABLE FreeBSD 10.1-STABLE #0 r275046
Sw: strongswan-5.2.0_1
Putting up an ESP tunnel between 192.168.2.0/24 and 192.168.40.8/29 over
endpoints X and W. The outgoing traffic is passed through a DMZ and exists
on my side through a firewall with inner address Y and outer address U.
After a random time, individual hosts on the 2.0/24 net get all there
traffic redirected out via X even when the src/dst do not match the SPD
entries. When the packets reach Y, the firewall sends a redirect ICMP back
to X. Only way to clean seems to be reboot of the gateway, as stopping
StrongSWAN and flushing the SAD and SPD entries does not fix the problem.
Anyone seen something like this?
Can I read the actual routing used to forward the packets and see what
happens?
How do I interpret netstat -rW?
/glz
"There are no solved problems; there are only problems that are more
or less solved" -- Henri Poincare
More information about the freebsd-net
mailing list