Hi, running IPsec in multiple rdomains is supported since about a year and should work just fine. iked(8) has extended support for it but it should also work with isakmpd(8).
- You need to create an enc(4) interface for the non-default rdomain. Traffic will only flow if there is an enc(4) interface and enc0 in rdomain 0 is still created by default. # ifconfig enc1 rdomain 1 up - The order you execute the commands at runtime is important. First create the enc(4) interface (or put it in hostname.if), then configure the rdomain on em0, then configure the IP on it and finally start isakmpd in the right rdomain. I would also suggest to run isakmpd with the -4 options since rdomains are IPv4-only for now (ask claudio@ if you want to have IPv6-rdomains). # ifconfig em0 192.168.1.200 rdomain 1 # route -T 1 exec isakmpd -4 -K - As you see above, you need to run isakmpd in rdomain 1 by setting its process context to rdomain 1. Just running "isakmpd -K" in a normal shell will execute it in rdomain 0. The process rdomain is inherited from the parent process, so you could also do # route -T 1 exec sh # isakmpd -4 -K - To see the flows and SAs you need to do the same with ipsecctl: # route -T 1 exec ipsecctl -s all - I so much prefer "route -T 1 show -inet" over "netstat -rn -T 1 -f inet" but maybe this is just a matter of taste. "netstat -an" is not rdomain-aware yet. reyk On Tue, May 17, 2011 at 09:39:26PM +0000, patrick.oesch...@bluewin.ch wrote: > ...gives me some headache... > > system1: (openbsd 4.9) > em0 192.168.1.54 (same /24 subnet as system2) > /etc/isakmpd/isakmpd. > conf: > Listen-on= 192.168.1.54 > isakmpd -K > > system2: (openbsd 4.9) > em0 192.168.1.200 (same /24 subnet as system1) > > /etc/isakmpd/isakmpd.conf > Listen-on= 192.168.1.200 > isakmpd -K > > as long as em0 on system2 is in rdomain 0 (zero) > everything seems fine and using tcpdump i can see bi-directional traffic on > UDP/500 > as soon as i put em0 on system2 > into rdomain 1 using 'ifconfig em0 192.168.1.200 rdomain 1' my headache > starts... > i can check routing for domain 1 > using 'netstat -rn -T1' > i can ping 192.168.1.200 using 'ping -V1 192.168.1.200' > *but* > i do no longer see em0 in > 'netstat -an -f inet' so i am not able to see if the listener for UDP/500 > started on the em0 interface (only interfaces > in rdomain 0 (zero) are displayed) > bi-directional traffic for port UDP/500 stops > > anybody having experience in > terminating a IPSEC tunnel in a routing domain? (virtual firewall setup) > maybe i should try GRE with IPSEC on top of > that...(?) > thank you > /pat
