Thread: Route to enc0
View Single Post
  #2   (View Single Post)  
Old 30th May 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Welcome back!

The enc(4) pseudo driver is for integrating IPSec protected traffic with PF for packet filtering, and for diagnostics with tcpdump(8). It's not a directly usable device for networking, because every packet runs through the pseudo device twice.

I've never tried it -- so I cannot give any guidance -- but you might be able to redirect the appropriate enc(4) traffic via PF rules. PF's route-to or reply-to rule options come to mind as possible tools. But be careful. The enc(4) man page states:
Quote:
... the use of translation rules to map and redirect network traffic requires some care. Packets destined to be IPsec processed are seen by the filter/translation engine twice, both before and after being IPsec processed. If a packet's translated address on the way back fails to match an existing IPsec flow, from the translated address to the original source address, it will be discarded by the filter. It is best to avoid this situation where possible, though a flow may be explicitly created to work around it.
There are very few of us here who use IPSec. You'll probably get better answers if you post your question to the misc@ mailing list. It's just as raucous as it was six years ago... and sometimes, just as helpful.

Last edited by jggimi; 30th May 2015 at 01:28 AM. Reason: typo
Reply With Quote