NETKEY IPsec and ARP

Posted by Shawn J. Goff on Server Fault See other posts from Server Fault or by Shawn J. Goff
Published on 2012-03-23T13:50:54Z Indexed on 2012/03/23 17:31 UTC
Read the original article Hit count: 410

Filed under:
|
|

I'm wondering if I have the correct routing setup for an IPsec tunnel. I have control over the IPsec endpoints and the hosts connected to one side. These hosts are connecting to the tunnel so that they have access to the network on the other side of what I will call the IPsec server. I don't have control of the network upstream of this server.

Normally, the IPsec server will not respond to ARP requests for the hosts on the other side of the tunnel. So when a packet arrives for one of my hosts the server gets ARP requests, but the upstream router gets no response, and cannot construct the ethernet frame to send me the packets. If I was using one of the swan stacks, I would have a separate interface, and I'd probably just need to turn on proxyarp, but I'm using NETKEY, which doesn't use a separate interface for the tunnel.

To solve the problem for now, I have added an eth0.5 vlan to the IPsec server, turned on proxyarp for that interface, and added all routes my hosts addresses to that interface so that it will respond to those ARP requests (and will therefore get relevant packets routed to it).

This works, but it feels wrong. What is the correct way to get the upstream router to send me the traffic for these hosts?

© Server Fault or respective owner

Related posts about routing

Related posts about ipsec