On Fri, Jun 17, 2005 at 02:17:08PM -0500, dontek wrote: > Actually, I am just doing a vanilla ping, no source address option. > When you say "flows", do you mean pf flows (rules)?
IPSec flows. Sort of like routes. Read vpn(8) again and see netstat -rnfencap for flows and netstat -rnfinet for normal IP (v4) routes. > I tried adding pass rules from gateway(s) to network(s) and back, > similar to the network to network passes on enc0, but this did not > solve the problem. There is nothing in your ipsec config that says encrypt gateway to network, only network to network. I don't think you understand this part. Adding rules to pf won't suddenly make the kernel encrypt this traffic. > Adding the static routes indeed worked, however, I would still like to > understand this better and get it working via pf and not have to add > the routes. Pf is the wrong tool to fix this. There is nothing wrong with static routes. Add them to /etc/hostname.if to make them persist over a reboot. See hostname.if(5). Adding the route works because it means the internal interface's IP address is used as the source address, and the kernel knows to encrypt this traffic. Without it, you'll have the default route interface's IP as source (the external IP), and because there is no ipsec flow defined for this case, the kernel will not encrypt this traffic. It's good that you want to understand this. Use tcpdump(8) to see the traffic passing through each interface (including enc0). Log all your pf blocked traffic and use tcpdump to look at the pf logs. That the ping worked without specifying a source address is puzzling, but tcpdump might reveal what's actually happening. -- stephen