Hi, Upon implementation of etherip(4) over an iked(8) connection, I had issues with passing etherip traffic over the connection.
The -current man page states: "The sysctl(3) variable net.inet.etherip.allow must be set to 1, unless ipsec(4) is being used to protect the traffic." However, unless net.inet.etherip.allow was set to 1, traffic would not pass over the etherip interface even if using ipsec(4). Digging through the mail archive ( http://marc.info/?l=openbsd-misc&w=2&r=1&s=etherip&q=b ), others have had this issue: http://marc.info/?l=openbsd-misc&m=148613113216663&w=2 http://marc.info/?l=openbsd-misc&m=147912428400635&w=2 Which then led me to have a casual look over the code: /usr/src/sys/net/if_etherip.c which also leads to: /usr/src/sys/netinet/ip_ether.c It appeared to me that if net.inet.etherip.allow=1 was not set, then drop the packets. I couldn't see any reference to ipsec(4) traffic in being allowed to pass. Below is a patch to the etherip(4) man page to clarify that net.inet.etherip.allow must be set to 1 and remove the reference to ipsec(4) if traffic needs to pass on the etherip interface. Cheers, Jason Tubnor. Index: etherip.4 =================================================================== RCS file: /cvs/src/share/man/man4/etherip.4,v retrieving revision 1.4 diff -u -p -r1.4 etherip.4 --- etherip.4 3 Dec 2015 18:44:41 -0000 1.4 +++ etherip.4 12 Feb 2017 22:08:10 -0000 @@ -54,11 +54,10 @@ The .Xr sysctl 3 variable .Dv net.inet.etherip.allow -must be set to 1, unless -.Xr ipsec 4 -is being used to protect the traffic. -Ethernet frames are then encapsulated and sent across the network -to another +must be set to 1 to enable the flow of traffic across the +.Nm +interface. Ethernet frames are then encapsulated and sent across the +network to another .Xr bridge 4 , which decapsulates the datagram and processes the resulting Ethernet frame as if it had originated on a normal Ethernet interface.
