Hi,
I have successfully managed to put an iked on an rdomain 2 interface.
Everything is nicely on that domain/rtable.
Now I want to route some parts of that into rdomain 0 and get the return
traffic back on rdomain 2. But I can't for the life of me figure this way
out. I've had error messages such as:
1. ICMP destination unreachable
2. ICMP need frag
And I've had no error messages where pf silently drops stuff.
Here is my pf.conf rules for the task:
#pass in log (to pflog1) on em0 from any to 192.168.80.0/24 rtable 2
pass in on enc2 proto ipencap from 10.83.45.251 to 10.83.44.52 keep state (if-bo
und)
pass out on enc2 proto ipencap from 10.83.44.52 to 10.83.45.251 keep state (if-b
ound)
pass in on enc2 from 192.168.80.0/24 to any tagged ipod keep state (if-bound)
pass out on enc2 from any to 192.168.80.0/24 keep state (if-bound)
The first rule is commented out because it doesn't work for some reason.
Here is my iked.conf for rdomain 2:
ikev2 "ios9-2" passive esp \
from 0.0.0.0/0 (10.83.44.52) to 192.168.80.0/24 \
peer 10.83.45.0/24 local 10.83.44.52 \
ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid 10.83.45.251 \
dstid 10.83.44.52 \
psk "secret" \
config address 192.168.80.0/24 \
config netmask 255.255.255.0 \
config name-server 192.168.70.1 \
tag ipod \
tap enc2
The remote device (a 2013 year ipod, with old ios) connects to the iked
rules. Traffic goes one way to the nameserver at 192.168.70.1 but never
returns (see above errors).
How do I make this work? It would be cool if I could add an "rtable 0" in
the iked.conf right off the bat and not have to worry doing this with pf.
I've spent 4 or 5 hours on this already and asked others but the solution
didn't work out. I use tcpdump mainly to track the traffic, but I'm at
my wits end. Any good hints or is this impossible to do at which point
this becomes a feature request.
Regards,
-peter
