From owner-freebsd-questions@freebsd.org Sun Feb 3 19:54:03 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5C06714B085B for ; Sun, 3 Feb 2019 19:54:03 +0000 (UTC) (envelope-from che@bein.link) Received: from mail.bein.link (bein.link [37.252.124.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 60EF783E7E for ; Sun, 3 Feb 2019 19:54:02 +0000 (UTC) (envelope-from che@bein.link) Received: from [192.168.88.205] (unknown [172.16.32.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.bein.link (Postfix) with ESMTPSA id 8E458238382; Sun, 3 Feb 2019 19:53:54 +0000 (UTC) From: Maxim Filimonov Message-Id: <6ECEFDEA-2A77-432E-88E4-8123356C2362@bein.link> Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: ipsec+gre: no luck accessing a jail Date: Sun, 3 Feb 2019 22:53:30 +0300 In-Reply-To: <5C573C85.1080101@gmail.com> Cc: freebsd-questions@freebsd.org To: Ernie Luzar References: <5C573C85.1080101@gmail.com> X-Mailer: Apple Mail (2.3445.102.3) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=bein.link; s=mail; t=1549223634; bh=9guzIAxHOV/ABa03fGkcp48ReC0=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References; b=mBvX3jXTVOeVSsSOtD0h4zvq5yN6TpiyvN1o4jGTSC/H7GWPrvwEokyRFmd/MJ+xmy8z0aDd2b5GNRbgh14zS/Vhg+UD3kX54/mZ8YYzxLQesypezxP1RxlQZpFwf0HbjBA3Fi61vlcVdZUxm+YGBULCS550abG7r52+lh/cyX8= X-Rspamd-Queue-Id: 60EF783E7E X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bein.link header.s=mail header.b=mBvX3jXT X-Spamd-Result: default: False [-3.50 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[bein.link:s=mail]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[bein.link]; NEURAL_HAM_SHORT(-0.91)[-0.915,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[bein.link:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[mail.bein.link]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; IP_SCORE(-0.77)[asn: 196752(-3.89), country: NL(0.02)]; ASN(0.00)[asn:196752, ipnet:37.252.120.0/21, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Feb 2019 19:54:03 -0000 If I'm not using GRE or anything, the jail is accessible via the host's = hostname/IP address. If I'm using GRE, but not IPSEC, it's available as well. If I'm using both, it's still accessible via its ip address, but not = through the host's hostname. It's FreeBSD 11.2-RELEASE with the latest patches. If I'm not looking at the host nginx, everything else works like a = charm. wbr, Maxim Filimonov che@bein.link > On 3 Feb 2019, at 22:09, Ernie Luzar wrote: >=20 > Maxim Filimonov wrote: >> Hello, >> I'm having a slight yet annoying trouble with the said technologies. >> I have a jail: >> % sudo jls >> JID IP Address Hostname Path >> 1 172.16.XX.XX %hostname% /usr/home/jail/foo >> All HTTP(s) traffic to the FreeBSD box gets forwarded to that jail: >> % sudo ipfw list >> >> 00023 fwd 172.16.XX.XX ip from any to me 80 >> 00024 fwd 172.16.XX.XX ip from any to me 443 >> >> And I have set up a GRE tunnel to my network here at home and = protected it with IPSEC. >> Now, when I try to access the web interfaces available from the jail = via the host's hostname, I get "Connection refused" error. > I know it = means no one is listening at the GRE interface, but=20 > nevertheless. >> The point is, when I disable IPSEC, I can access them via the = hostname (something.my.hostname which points to the box, not the jail). = When IPSEC is enabled, no luck here. In both cases, the jail replies to = 'curl http://172.16.XX.XX'. >> The question is, what can be done to fix that? I'm seeing this as an = IPSEC misconfiguration. Here's my setkey.conf: >> % cat /usr/local/etc/racoon/setkey.conf flush; >> spdflush; >> spdadd /32 /32 gre -P out ipsec esp/transport/-/require; >> spdadd //32 gre -P in ipsec esp/transport/-/require; >=20 > Do you have remote access to your jail web server without GRE/IPSEC = being enabled? If not this would indicate you have IPFW rules and or = forward rules problem. >=20 > What version of Freebsd are you running? >=20 > My understanding is GRE does the same thing as ipsec more or less. > Does either one work by its self in your use case?