From owner-freebsd-hackers@freebsd.org  Mon Apr 11 09:02:53 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 99B05B03D06
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Mon, 11 Apr 2016 09:02:53 +0000 (UTC) (envelope-from crest@rlwinm.de)
Received: from smtp.rlwinm.de (smtp.rlwinm.de [IPv6:2a01:4f8:201:31ef::e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 62F311A6B
 for <freebsd-hackers@freebsd.org>; Mon, 11 Apr 2016 09:02:53 +0000 (UTC)
 (envelope-from crest@rlwinm.de)
Received: from crest.local (unknown [87.253.189.132])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.rlwinm.de (Postfix) with ESMTPSA id 7F44213C4D
 for <freebsd-hackers@freebsd.org>; Mon, 11 Apr 2016 11:02:51 +0200 (CEST)
Subject: Re: IPSEC tunnels
To: freebsd-hackers@freebsd.org
References: <alpine.BSF.2.20.1604080749020.4250@laptop.wojtek.intra>
 <CALfReydUCVg7A7ngS1vBHkCMOqgBOpddcn5JyfMUaWnWfqJhrg@mail.gmail.com>
 <alpine.BSF.2.20.1604102225010.43796@laptop.wojtek.intra>
From: Jan Bramkamp <crest@rlwinm.de>
Message-ID: <570B683B.30409@rlwinm.de>
Date: Mon, 11 Apr 2016 11:02:51 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.20.1604102225010.43796@laptop.wojtek.intra>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2016 09:02:53 -0000

On 10/04/16 22:25, Wojciech Puchar wrote:
>> dealing with layer 3 so you cant use normal port forwarding  for the
>> tunnel
>> traffic. The key exchange is less problematic. It was a bit of a head
>> ache,
>> and if you can avoid the NAT you will be far better off.
>
> If i can avoid NAT i would use available FreeBSD IPSEC tunnel guides :)

A lot of the documentation floating around on FreeBSD and IPsec is 
rather dated and uses racoon for IKEv1 over IPv4 in *tunneling* mode to 
implement a site to site VPN.

I recommend that you take a look at strongSwan instead of racoon and use 
it to configure IKEv2 over IPv6 (or IPv4) in *transport* mode to protect 
a GRE tunnel. From the IPsec viewpoint the GRE tunnel is just a payload 
in transport mode. From the viewpoint of the rest of FreeBSD IP stack it 
is a routeable network (pseudo-)interface. In this setup you can treat 
your IPsec protected tunnels like any other tunnel interface and use a 
dynamic routing protocol to keep your sites connected in the face of 
failing tunnels. IPsec with IKEv2 can work through a NAT by 
encapsulating the ESP packets in UDP but it's easier if at least on site 
has a public static IP address.

Which interior gateway protocol (IGP) are you using?