Good morning! Adam, Denis
---------------------------------------------------------------
[email protected]:~ # route -n show -encap
route: botched keyword: -encap
usage: route [-dnqtv] [-T tableid] command [[modifiers] args]
commands: add, change, delete, exec, flush, get, monitor, show
---------------------------------------------------------------
Further I tried:
--------------------------------------------------------------
[email protected]:~ # route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
10.0.1/24 10.0.1.240 UC 3 0 - 8 vio0
10.0.1.170 00:17:f2:01:f1:32 UHLc 0 4 - 8 vio0
10.0.1.180 e4:11:5b:3b:58:dc UHLc 1 121 - 8 vio0
10.0.1.220 52:54:00:1c:f8:35 UHLc 2 7 - 8 vio0
10.0.1.240 52:54:00:dd:e8:7c UHLl 0 0 - 1 lo0
10.0.1.255 10.0.1.240 UHb 0 0 - 1 vio0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHl 1 0 32768 1 lo0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
Internet6:
Destination Gateway Flags Refs Use Mtu Prio Iface
::/104 ::1 UGRS 0 0 32768 8 lo0
::/96 ::1 UGRS 0 0 32768 8 lo0
::1 ::1 UHl 14 0 32768 1 lo0
::127.0.0.0/104 ::1 UGRS 0 0 32768 8 lo0
::224.0.0.0/100 ::1 UGRS 0 0 32768 8 lo0
::255.0.0.0/104 ::1 UGRS 0 0 32768 8 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 32768 8 lo0
2002::/24 ::1 UGRS 0 0 32768 8 lo0
2002:7f00::/24 ::1 UGRS 0 0 32768 8 lo0
2002:e000::/20 ::1 UGRS 0 0 32768 8 lo0
2002:ff00::/24 ::1 UGRS 0 0 32768 8 lo0
fe80::/10 ::1 UGRS 0 0 32768 8 lo0
fe80::%lo0/64 fe80::1%lo0 U 0 0 32768 4 lo0
fe80::1%lo0 fe80::1%lo0 UHl 0 0 32768 1 lo0
fec0::/10 ::1 UGRS 0 0 32768 8 lo0
ff01::/16 ::1 UGRS 0 0 32768 8 lo0
ff01::%lo0/32 ::1 UC 0 0 32768 4 lo0
ff02::/16 ::1 UGRS 0 0 32768 8 lo0
ff02::%lo0/32 ::1 UC 0 0 32768 4 lo0
--------------------------------------------------------------
Some facts about my tests/setup that might help.
.- both machines are connected on the same switch, same
network(LNX:10.0.1.20; OBSD:10.0.1.240). The linux machine has
additional interface with an aaditional IP/Network: 192.168.100.0/29,
there is a third machine (192.168.100.2, behind LNX/StrongSwan) used to
ping and test the validity of the tunnel.
.- PF has no additional rules, its basically vanilla.
block return # block stateless traffic
pass # establish keep-state
block return in on ! lo0 proto tcp to port 6000:6010
pass on enc0
.- My ipsec.conf has only on entry:
ike esp from 10.0.1.240/32 to 192.168.100.0/29 peer 10.0.1.220
main auth hmac-sha1 enc 3des group modp1024
quick auth hmac-sha1 enc 3des group modp1024
psk "zRmzouKsYEBMYrKMX16bkwazXV21cV8zFIA6LHzt"
.- I got no additional routing rules, I do not know if they are
necessary. When using StrongSwan on Linux/Linux scenarios, rules are
added automatically in recent versions.
.- Using ipsecctl -s all, Im seeing what seems to be the automatic rules
creations that StrongSwan does on linux:
FLOWS:
flow esp in from 192.168.100.0/29 to 10.0.1.240 peer 10.0.1.220 srcid
10.0.1.240/32 dstid 10.0.1.220/32 type use
flow esp out from 10.0.1.240 to 192.168.100.0/29 peer 10.0.1.220 srcid
10.0.1.240/32 dstid 10.0.1.220/32 type require
SAD:
esp tunnel from 10.0.1.240 to 10.0.1.220 spi 0xcfbccc26 auth hmac-sha1
enc 3des-cbc
esp tunnel from 10.0.1.220 to 10.0.1.240 spi 0xe95d6730 auth hmac-sha1
enc 3des-cbc
I saw a few articles in which they created several entries on ipsec.conf:
.- an entry for a gateway to gateway
.- an entry for gateway to network
.- an entry for a network to network
But they seems to be old. I only have one entry, connecting the OpenBSD
machine as road warrior to the network behind the StrongSwan gateway.
