From owner-freebsd-stable@FreeBSD.ORG Mon Dec 29 16:20:24 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2B54680 for ; Mon, 29 Dec 2014 16:20:24 +0000 (UTC) Received: from mail9.tpgi.com.au (mail9.tpgi.com.au [203.12.160.104]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A1F1D64D65 for ; Mon, 29 Dec 2014 16:20:22 +0000 (UTC) X-TPG-Junk-Status: Message not scanned X-TPG-Antivirus: Passed X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Tue, 30 Dec 2014 03:20:12 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail9.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id sBTGKAnd026075 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 30 Dec 2014 03:20:12 +1100 Received: from ip-211.ish.com.au ([203.29.62.211]:22269 helo=ish.com.au) by fish.ish.com.au with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1Y5d36-0003am-2I for freebsd-stable@freebsd.org; Tue, 30 Dec 2014 03:20:05 +1100 Received: from [10.242.2.6] (HELO Aristedess-MacBook-Pro.local) by ish.com.au (CommuniGate Pro SMTP 6.1c1) with ESMTPS id 17934451 for freebsd-stable@freebsd.org; Tue, 30 Dec 2014 03:20:04 +1100 Message-ID: <54A17F33.2020708@ish.com.au> Date: Tue, 30 Dec 2014 03:20:03 +1100 From: Aristedes Maniatis User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: freebsd-stable Subject: ipsec routing issue Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 16:20:24 -0000 I am at wits end trying to get ipsec working correctly on FreeBSD 10.1. I've always used a script or helper (like pfsense) to get it working, and setting it up by hand is much harder than it seems. I've spent two solid days on this and read everything on the internet... So, I've got racoon working. The tunnel authenticates and comes up just fine. The racoon logs all look good. The other end (Sophos UTM in my case, which is just linux) also shows everything as up. As I understand it, a gif0 tunnel is not needed at all. It should all just work without one, despite the FreeBSD handbook. But I think I'm missing something about how gif0 ties into enc0, firewall rules and routing. So some questions please: 1. Let's say I'm not using gif0. Should I expect some routes to appear in the FreeBSD routing table? Or do I need to put them there myself? If so, what should I be adding? I've seen things like: route add $remote_net/24 $remote_internal_address But how does the OS know where to send traffic to $remote_internal_address? Is that something racoon takes care of? 2. If I am using gif0 do I need to also use gif0 on the other end? This adds another layer of encapsulation which I need to remove at the remote firewall don't I? 3. What does this mean: ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff Is that mask for the remote end or for the local end? 4. I'm using pf for a firewall. Other than allowing isakmp, esp and ipencap through in both directions, can I control the traffic inside the tunnel? Do I need to add rules for that traffic or will it always go through? Thank you for any help! Ari Maniatis -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A