Subject: ipsec/ipf/routing confusion
To: None <>
From: Joe Bamberg <>
List: tech-net
Date: 11/06/2000 12:55:50
Greetings tech-net,

Here is my setup

home net (
  | interface ep0
home router-------------------- interface lo1
a.b.c.d interface ep1
(big bad internet)
work router
another router
work net (

I'm trying to set up tunnel mode IPsec between
and  The home router is a NetBSD-1.5_BETA box,
and the work router is a Cisco (IOS 12.something).

IKE seems to work just fine (I'm using isakmpd-001006 on the
netbsd side).  I negotiate an SA successfully and isakmpd installs
what looks like good SPD and SAD entries (although, all the
SPD entries are direction "out" - I guess this just means that
I initiated them?).

My default route on the home router is my ISP's router.  Since
I don't want to route packets destined to the 10.2 network
through this, I've created an extra loopback interface (lo1) with
address and route add -net 10.2 through that.  This
also helps for logging. 

When I ping a host on the work net from a host on the home net
(after IKE has established SAs), I see the ICMP packets inbound
on lo1 (using ipmon), ESP packets a.b.c.d -> e.f.g.h and ESP
packets coming back e.f.g.h -> a.b.c.d on ep1 (using tcpdump -niep1).

Then, I see the decrypted ICMP replies coming in on ep1 (using
ipmon) 10.2.x.y -> 192.168.2.z.  They get blocked by an ipf rule.
If I pass them instead of blocking them (which seems to be highly
dodgy from a security standpoint), I still don't see them coming
back out to the network.  I was surprised at this
behaviour, expecting to see the decrypted packets appear initially
outbound on ep0 instead.

I'm feel that I'm so close to getting this to work but I must
be missing one vital piece of the puzzle and would appreciate
any help.  I have realized that I just don't understand the
interaction between routing and IPsec in the kernel.