[test15 src]# netstat -rnf inet Routing tables Internet: Destination Gateway Flags Netif Expire default 87.250.242.158 UGS ix0 87.250.242.128/27 link#1 U ix0 87.250.242.145 link#1 UHS lo0 127.0.0.1 link#4 UH lo0 192.168.0.145 link#4 UH lo0 [test15 src]# sysctl -a | grep forwarding net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 1 net.inet6.ip6.fastforwarding: 0 [test15 src]# kldstat Id Refs Address Size Name 1 17 0xffffffff80200000 1a6e3d0 kernel 2 1 0xffffffff81c70000 2f4e90 zfs.ko 3 2 0xffffffff81f65000 ac78 opensolaris.ko 4 1 0xffffffff82011000 3625 ums.ko 5 1 0xffffffff82015000 31df cpuctl.ko 6 1 0xffffffff82019000 1a98 if_ipsec.ko [test15 src]# setkey -D No SAD entries. [test15 src]# setkey -DP No SPD entries. [test15 src]# ifconfig ipsec0 create [test15 src]# ifconfig ipsec0 inet tunnel 87.250.242.145 87.250.242.144 [test15 src]# ifconfig ipsec0 inet 10.0.0.145/32 10.0.0.144 [test15 src]# route add 172.16.0.0/16 10.0.0.144 add net 172.16.0.0: gateway 10.0.0.144 fib 0 [test15 src]# ifconfig ipsec0 ipsec0: flags=8051 metric 0 mtu 1400 tunnel inet 87.250.242.145 --> 87.250.242.144 inet 10.0.0.145 --> 10.0.0.144 netmask 0xffffffff inet6 fe80::225:90ff:fef9:3c92%ipsec0 prefixlen 64 scopeid 0x5 nd6 options=23 reqid: 16388 groups: ipsec [test15 src]# setkey -D No SAD entries. [test15 src]# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16388 spid=13 seq=3 pid=1418 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16388 spid=15 seq=2 pid=1418 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16388 spid=14 seq=1 pid=1418 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16388 spid=16 seq=0 pid=1418 refcnt=1 [test15 src]# setkey -DPF [test15 src]# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16388 spid=13 seq=3 pid=1420 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16388 spid=15 seq=2 pid=1420 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16388 spid=14 seq=1 pid=1420 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16388 spid=16 seq=0 pid=1420 refcnt=1 [test15 src]# racoon ----------- [test25 src]# netstat -rnf inet Routing tables Internet: Destination Gateway Flags Netif Expire default 87.250.242.158 UGS igb0 87.250.242.128/27 link#1 U igb0 87.250.242.144 link#1 UHS lo0 127.0.0.1 link#6 UH lo0 172.16.0.145 link#6 UH lo0 [test25 src]# sysctl -a | grep forwarding net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 1 net.inet6.ip6.fastforwarding: 0 [test25 src]# kldstat Id Refs Address Size Name 1 20 0xffffffff80200000 1a6e3d0 kernel 2 1 0xffffffff81c70000 2f4e90 zfs.ko 3 2 0xffffffff81f65000 ac78 opensolaris.ko 4 1 0xffffffff82011000 3625 ums.ko 5 1 0xffffffff82015000 2b8e uhid.ko 6 1 0xffffffff82018000 31df cpuctl.ko 7 1 0xffffffff8201c000 1a98 if_ipsec.ko [test25 src]# setkey -D No SAD entries. [test25 src]# setkey -DP No SPD entries. [test25 src]# ifconfig ipsec0 create [test25 src]# ifconfig ipsec0 inet tunnel 87.250.242.144 87.250.242.145 [test25 src]# ifconfig ipsec0 inet 10.0.0.144/32 10.0.0.145 [test25 src]# route add 192.168.0.0/24 10.0.0.145 add net 192.168.0.0: gateway 10.0.0.145 fib 0 [test25 src]# ifconfig ipsec0 ipsec0: flags=8051 metric 0 mtu 1400 tunnel inet 87.250.242.144 --> 87.250.242.145 inet 10.0.0.144 --> 10.0.0.145 netmask 0xffffffff inet6 fe80::225:90ff:fe92:8548%ipsec0 prefixlen 64 scopeid 0x7 nd6 options=23 reqid: 16386 groups: ipsec [test25 src]# setkey -D No SAD entries. [test25 src]# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16386 spid=5 seq=3 pid=1404 refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique#16386 spid=7 seq=2 pid=1404 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16386 spid=6 seq=1 pid=1404 refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique#16386 spid=8 seq=0 pid=1404 refcnt=1 [test25 src]# racoon ------------- [test15 src]# ping -c1 10.0.0.144 PING 10.0.0.144 (10.0.0.144): 56 data bytes --- 10.0.0.144 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss [test15 src]# ping -c1 10.0.0.144 PING 10.0.0.144 (10.0.0.144): 56 data bytes 64 bytes from 10.0.0.144: icmp_seq=0 ttl=64 time=0.506 ms --- 10.0.0.144 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.506/0.506/0.506/0.000 ms [test15 src]# ping -c1 172.16.0.145 PING 172.16.0.145 (172.16.0.145): 56 data bytes 64 bytes from 172.16.0.145: icmp_seq=0 ttl=64 time=0.423 ms --- 172.16.0.145 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.423/0.423/0.423/0.000 ms -------------- [test15 butcher]# tcpdump -ni ix0 esp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ix0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:13:48.830044 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x1), length 132 17:13:48.830388 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x1), length 132 17:16:11.563357 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x3), length 132 17:16:11.563623 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x2), length 132 -------------- [test15 butcher]# tcpdump -ni ipsec0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes 17:13:22.880665 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40197, seq 0, length 64 17:13:48.829976 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40709, seq 0, length 64 17:13:48.830421 IP 10.0.0.144 > 10.0.0.145: ICMP echo reply, id 40709, seq 0, length 64 17:16:11.563292 IP 10.0.0.145 > 172.16.0.145: ICMP echo request, id 42501, seq 0, length 64 17:16:11.563647 IP 172.16.0.145 > 10.0.0.145: ICMP echo reply, id 42501, seq 0, length 64 --------------- [test15 src]# setkey -D 87.250.242.145 87.250.242.144 esp mode=tunnel spi=200268103(0x0befd947) reqid=16388(0x00004004) E: rijndael-cbc d150a373 e2ff25ec 13e59840 90c424d2 A: hmac-sha1 4d2704f5 36a44c97 1a234998 1bfd403a e0c1cffb seq=0x00000001 replay=4 flags=0x00000000 state=mature created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016 diff: 111(s) hard: 28800(s) soft: 23040(s) last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s) current: 152(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=1 pid=1443 refcnt=1 87.250.242.144 87.250.242.145 esp mode=tunnel spi=134960652(0x080b560c) reqid=16388(0x00004004) E: rijndael-cbc e7c9aa53 18ef46d9 b222111d a813af56 A: hmac-sha1 007f5908 755f4b88 e62c9de5 70122ebe 550d361d seq=0x00000001 replay=4 flags=0x00000000 state=mature created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016 diff: 111(s) hard: 28800(s) soft: 23040(s) last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s) current: 84(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=0 pid=1443 refcnt=1 -----------