Date: Mon, 29 Dec 2014 17:23:15 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Aristedes Maniatis <ari@ish.com.au> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: ipsec routing issue Message-ID: <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> In-Reply-To: <54A17F33.2020708@ish.com.au> References: <54A17F33.2020708@ish.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 29 Dec 2014, at 16:20 , Aristedes Maniatis <ari@ish.com.au> wrote: >=20 > I am at wits end trying to get ipsec working correctly on FreeBSD = 10.1. I've always used a script or helper (like pfsense) to get it = working, and setting it up by hand is much harder than it seems. I've = spent two solid days on this and read everything on the internet... >=20 > So, I've got racoon working. The tunnel authenticates and comes up = just fine. The racoon logs all look good. The other end (Sophos UTM in = my case, which is just linux) also shows everything as up. >=20 > As I understand it, a gif0 tunnel is not needed at all. It should all = just work without one, despite the FreeBSD handbook. But I think I'm = missing something about how gif0 ties into enc0, firewall rules and = routing. So some questions please: If you are trying to setup ipsec tunnel mode between two sites, ignore = gif entirely. > 1. Let's say I'm not using gif0. Should I expect some routes to appear = in the FreeBSD routing table? Or do I need to put them there myself? If = so, what should I be adding? I've seen things like: >=20 > route add $remote_net/24 $remote_internal_address >=20 > But how does the OS know where to send traffic to = $remote_internal_address? Is that something racoon takes care of? No, there are no routes involved; your security policy deals with this. = setkey -DP is your friend. You can have racoon inject the policy for = you if you want, otherwise ipsec.conf is where it goes. > 2. If I am using gif0 do I need to also use gif0 on the other end? = This adds another layer of encapsulation which I need to remove at the = remote firewall don=E2=80=99t I? Yes. > 3. What does this mean: >=20 > ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff >=20 > Is that mask for the remote end or for the local end? Or just to be there. > 4. I'm using pf for a firewall. Other than allowing isakmp, esp and = ipencap through in both directions, can I control the traffic inside the = tunnel? Do I need to add rules for that traffic or will it always go = through? For that you=E2=80=99ll need enc(4) to do it properly. Check the man = page for settings. You might want to change them off the defaults. =E2=80=94=20 Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AE3247B4-5692-4143-B8D4-3E5783C6F2CF>