From owner-freebsd-net@freebsd.org Sun Dec 27 15:03:03 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B418A5273C; Sun, 27 Dec 2015 15:03:03 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 438B61E29; Sun, 27 Dec 2015 15:03:02 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-250-125.lns20.per4.internode.on.net [121.45.250.125]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tBRF2l0F020269 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 27 Dec 2015 07:02:50 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: ipsec tunnel and vnet jails: routing, howto? To: Michael Grimm , freebsd-jail@freebsd.org, freebsd-net@freebsd.org References: From: Julian Elischer Message-ID: <567FFD92.2050909@freebsd.org> Date: Sun, 27 Dec 2015 23:02:42 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Dec 2015 15:03:03 -0000 On 27/12/2015 4:24 AM, Michael Grimm wrote: > Hi, > > I am currently stuck, somehow, and I do need your input. Thus, let me explain, what I do want to achieve: > > I do have two servers connected via an ipsec/tunnel ... > [A] dead:beef:1234:abcd::1 <—> dead:feed:abcd:1234::1 [B] > … which is sending all traffic destined for dead:beef:1234:abcd::/64 and dead:feed:abcd:1234::/64 through the tunnel, and vice versa. > > That did run perfectly well during the last years until I decided to give VNET jails a try. Previously, some of my old fashioned jails got an IPv6 address attached like dead:beef:1234:abcd:1:2::3, and I could reach that address from the remote server without any routing/re-directing or alike, necessary. Now, after having moved those jails to VNET jails (having those addresses bound to their epairXXb interfaces), I cannot reach those addresses within those jails any longer. > > >From my point of view and understanding this must have to do with lack of proper routing, but I am not sure, if that is correct, thus my questions to the experts: > > 1) Is my assumption correct, that my tunnel is "ending" after having passed my firewalls at each server, *bevor* decrypting its ESP traffic into its final destination (yes, I do have pf rules to allow for esp traffic to pass my outer internet facing interface)? > > 2) If that is true, racoon has to decide where to deliver those packets, finally? > > 3) If that is true, I do have an issue with routing that *cannot* be solved by pf firewall rules, right? > > 4) If that is true, what do I have to look for? What am I missing? How can I route incoming and finally decrypted traffic to its final destination within a VNET jail? > > 5) Do I need to look for a completely different approach? Every hint is highly welcome. basically you have to treat the jails as if they are totally separate machines that are reached through the vpn endpoints instead of being the endpoints themselves. This will require a different setup. for example your tunnel will need to be exactly that a tunnel and not just an encapsulation. And you will need full routing information for the other end at each end. > > Thanks in advance and with kind regards, > Michael > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >