From owner-freebsd-hackers@freebsd.org Tue Apr 12 15:18:55 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C9D3B0D81D for ; Tue, 12 Apr 2016 15:18:55 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DDD518EC for ; Tue, 12 Apr 2016 15:18:55 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id E7D7E2090D for ; Tue, 12 Apr 2016 11:18:53 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute4.internal (MEProxy); Tue, 12 Apr 2016 11:18:53 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=VBM0B11OAUOowYw ZZO3xxWaRPFY=; b=eDcAn+zu0nxJRHTOTYY72VOzwpfoQHckaa0IGELTBC/7UBz xz56/IH8YFARdKJ/jwWvFQmGfybHeZfcaVeor4+OZbTpUFeToJsqQlLeHkjS6UqE ex5CIxM/eI9Eh+SCKeA1p5jFq1XdCAMTPmmZ2nNXM1BA+hKmSx1c/+gS7N44= Received: by web4.nyi.internal (Postfix, from userid 99) id BC351117AD8; Tue, 12 Apr 2016 11:18:53 -0400 (EDT) Message-Id: <1460474333.2639392.576501705.398758F2@webmail.messagingengine.com> X-Sasl-Enc: lW6jy11MxigGcsT2vBjmB2XCYHxOjYX5NAKnUjSCigTn 1460474333 From: Mark Felder To: Jan Bramkamp , freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-5c9f6ad9 Subject: Re: IPSEC tunnels Date: Tue, 12 Apr 2016 10:18:53 -0500 In-Reply-To: <570B683B.30409@rlwinm.de> References: <570B683B.30409@rlwinm.de> X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2016 15:18:55 -0000 On Mon, Apr 11, 2016, at 04:02, Jan Bramkamp wrote: > On 10/04/16 22:25, Wojciech Puchar wrote: > >> dealing with layer 3 so you cant use normal port forwarding for the > >> tunnel > >> traffic. The key exchange is less problematic. It was a bit of a head > >> ache, > >> and if you can avoid the NAT you will be far better off. > > > > If i can avoid NAT i would use available FreeBSD IPSEC tunnel guides :) > > A lot of the documentation floating around on FreeBSD and IPsec is > rather dated and uses racoon for IKEv1 over IPv4 in *tunneling* mode to > implement a site to site VPN. > > I recommend that you take a look at strongSwan instead of racoon and use > it to configure IKEv2 over IPv6 (or IPv4) in *transport* mode to protect > a GRE tunnel. From the IPsec viewpoint the GRE tunnel is just a payload > in transport mode. From the viewpoint of the rest of FreeBSD IP stack it > is a routeable network (pseudo-)interface. In this setup you can treat > your IPsec protected tunnels like any other tunnel interface and use a > dynamic routing protocol to keep your sites connected in the face of > failing tunnels. IPsec with IKEv2 can work through a NAT by > encapsulating the ESP packets in UDP but it's easier if at least on site > has a public static IP address. > > Which interior gateway protocol (IGP) are you using? > Using GRE and proper tunnel interfaces is the sane way of doing IPSEC. Unfortunately I've never been able to figure out how to trick pfsense into doing this so my VPN to my friend's network is the raccoon flavor where it's just *magic* and doesn't show up in the routing tables (and works!) but is inaccessible from my LAN unless I manually add routes to itself(!). -- Mark Felder ports-secteam member feld@FreeBSD.org