From owner-freebsd-questions@freebsd.org Sun Feb 3 19:10:01 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2AAC14AF2FB for ; Sun, 3 Feb 2019 19:10:00 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCF8A82666 for ; Sun, 3 Feb 2019 19:09:59 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io1-xd31.google.com with SMTP id e186so2819723ioa.0 for ; Sun, 03 Feb 2019 11:09:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=bMH7ONVMdV3xQvMx7yvSJ/yUHxJAN6lYQA4MHL3FtUY=; b=ScZuGuR5/1BLCT8CxBoWviPpANYvm/HrPobLWwWOn0ne6G2YWMm98NfVSoSLq+o2dn y4aZOz7earK045MJt/1aRIm2mElgFM/MVTghGkfXyKEVgk2EQu0xndYGEqd35u3PPqQW IfztENU+iyd5m3l09Yjx5yaH61zEm7XREC7sZ1QOTEj887fqliIWIkODEceo0DeoU26Z XAiP4OITzsBTSO92qTX+I14hv7bpzaZ99EQ/Tzwql0pgDqjtR8FaOOpdetR5lVUzC2Cy spy9N8llJoh32LqACvpQO50RfQ2LkK+CD2RgKbbgktLUuSgkjq8piKd2GapRVjMa0vrX D1ZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=bMH7ONVMdV3xQvMx7yvSJ/yUHxJAN6lYQA4MHL3FtUY=; b=cSc1I2Gf6x92i/1Q4kC9dfL2i+tYnB8nogIN/g80xr436V5owvhOZxFMo1JwEfkOgX 4oqRlpjOxfRpCXPSW/tt+8WetJsdBpkvzPzu+cMt0xDoqQeLewAQJ4J2YyAUn8oC7s10 73rY7KGDPzozgDxsLrFRRe/63mJT2e+yS38veyf/Ry611CovChhk32mSO2Xzy2yocCar EA9I6GoncgALWifJ/+4HAEGFadvUEh6RZ4w7v3QwkrZ0/dQ/TG3HrN5fBHqPpkywSdM+ 1erfQpkz+UU03LY0fSv9XJowd2Myw1qgKdrlfj24KCVb+Nxp9eNK30P6qKuPZcALGjB/ reHw== X-Gm-Message-State: AHQUAuaEBwQWV/sHEB8FDY7okuHEk8m7CidKrA0pT4HRXILgfo4s3Ra3 bgDTeEJJ1G9yheK5IMOkqvZge36P X-Google-Smtp-Source: AHgI3IYoQWlBC6AQVn6rmA+BkJMGXVeYL31M7UrRojSGEsFu+2+O0GF5wDgT0VCQ3ZLfY7nMKOB/zg== X-Received: by 2002:a6b:ee19:: with SMTP id i25mr5738270ioh.149.1549220999201; Sun, 03 Feb 2019 11:09:59 -0800 (PST) Received: from [10.0.10.8] (cpe-65-25-53-210.neo.res.rr.com. [65.25.53.210]) by smtp.googlemail.com with ESMTPSA id y8sm4566435ita.5.2019.02.03.11.09.57 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 03 Feb 2019 11:09:58 -0800 (PST) Message-ID: <5C573C85.1080101@gmail.com> Date: Sun, 03 Feb 2019 14:09:57 -0500 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Maxim Filimonov CC: freebsd-questions@freebsd.org Subject: Re: ipsec+gre: no luck accessing a jail References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: DCF8A82666 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=ScZuGuR5; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates 2607:f8b0:4864:20::d31 as permitted sender) smtp.mailfrom=luzar722@gmail.com X-Spamd-Result: default: False [-6.63 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_HAM_SHORT(-0.84)[-0.839,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[1.3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.78)[ip: (-9.49), ipnet: 2607:f8b0::/32(-2.41), asn: 15169(-1.93), country: US(-0.07)] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Feb 2019 19:10:01 -0000 Maxim Filimonov wrote: > Hello, > > I'm having a slight yet annoying trouble with the said technologies. > I have a jail: > > % sudo jls > JID IP Address Hostname Path > 1 172.16.XX.XX %hostname% /usr/home/jail/foo > > > All HTTP(s) traffic to the FreeBSD box gets forwarded to that jail: > > % sudo ipfw list > > 00023 fwd 172.16.XX.XX ip from any to me 80 > 00024 fwd 172.16.XX.XX ip from any to me 443 > > > And I have set up a GRE tunnel to my network here at home and protected it with IPSEC. > Now, when I try to access the web interfaces available from the jail via the host's hostname, I get "Connection refused" error. > > I know it means no one is listening at the GRE interface, but nevertheless. > The point is, when I disable IPSEC, I can access them via the hostname (something.my.hostname which points to the box, not the jail). > When IPSEC is enabled, no luck here. In both cases, the jail replies to 'curl http://172.16.XX.XX'. > > The question is, what can be done to fix that? I'm seeing this as an IPSEC misconfiguration. Here's my setkey.conf: > > % cat /usr/local/etc/racoon/setkey.conf > flush; > spdflush; > > spdadd /32 /32 gre -P out ipsec esp/transport/-/require; > spdadd //32 gre -P in ipsec esp/transport/-/require; > Do you have remote access to your jail web server without GRE/IPSEC being enabled? If not this would indicate you have IPFW rules and or forward rules problem. What version of Freebsd are you running? My understanding is GRE does the same thing as ipsec more or less. Does either one work by its self in your use case?