Hello,
I have existing GRE over IPSec (iked) tunnels which work with no issues.
Today I added another instance, with the same configuration, except for
two differences: the instance is behind a NAT and I use a `lo` interface
on each end for the IPSec traffic flow.
The pf configuration seemed to not account for this scenario, logging:
` 1640284799.791318 rule 2/(match) block in on enc0: 10.0.13.2 >
10.0.13.1: gre [|ip] (encap) `
Rule 2 resolves to ` block drop log on enc0 all `, however this should
be combated by the gre passing rule
` pass in quick log on enc0 proto gre from any to any `
- or at least it is for all my other tunnels.
I wondered about the (encap) ending in the tcpdump output, as I did not
see such on the (passing/working) traffic from my existing tunnels.
Researching it, I found an entry in ipsec.conf(5)
` proto ipencap
[tunnel mode only] IP-in-IP traffic flowing between gateways on the
enc0 interface. `
Given the "tunnel mode only" note, I dismissed it at first, since I am
exclusively using transport mode (iked.conf is set to ` transport esp
proto gre ` on both ends). I attempted several configurations and
allowances, only to find an old mailing thread suggesting to add a
passing for ipencap as well as for gre:
` pass in quick log on enc0 proto ipencap all `
And of course - it immediately started working - this should have been
obvious after seeing the (encap) ending in the log output, however the
manual note about it being exclusively for tunnel mode made me shy of
attempting it.
My questions - am I doing something wrong, and my IPSec transport mode
is actually running in tunnel mode? Is ipencap being used to be expected
in a IPSec-NAT-T setup? Is the manual note not accurate and a change
should be suggested?
I could unfortunately not find much information on ipencap.
Thanks a lot for any clarifications!
No comments:
Post a Comment