[SOLVED] IPSec tunnel, VNET jail and routing issue
Michael Grimm
trashcan at ellael.org
Tue Dec 27 15:31:36 UTC 2016
Michael Grimm <trashcan at ellael.org> wrote:
Nevermind, I solved my issue. I has been a minor typo with major consequences.
> Configuration (shown for hostA, only):
>
> setkey.conf
> # hostA hostB hostA hostB
> spdadd 10.1.1.0/24 10.2.2.0/24 any -P out ipsec esp/tunnel/1.2.3.4-10.20.30.40/require;
Contrarily to this example line above, my real setkey.conf has had an "in" instead of "out" :-(
> Achieved sofar:
>
> #) Allowing arpproxy_all="YES" will satisfy ARP (MACs from opposite VNET jails will become assigned).
> I do not know if that is needed, but now ping from jails to the opposite jails will at least start to send ICMP packages.
Now I have to state: yes, ARP proxying is mandatory in my setup.
Hmm, I need to learn more about ARP. Because now I do observe a lot of lines like …
| <kern.info> mike kernel: arp: proxy: ignoring request from 10.1.1.1 via epair1a
… and I do not know if I do have to be concerned about those. Do I?
Sorry for the noise!
Regards,
Michael
More information about the freebsd-net
mailing list