From owner-freebsd-stable@FreeBSD.ORG Mon Dec 29 17:23:25 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 70086F97 for ; Mon, 29 Dec 2014 17:23:25 +0000 (UTC) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 009DC388B for ; Mon, 29 Dec 2014 17:23:24 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id EF87125D388C; Mon, 29 Dec 2014 17:23:21 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 24D1BC7709D; Mon, 29 Dec 2014 17:23:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id lHQbfLVmXJaK; Mon, 29 Dec 2014 17:23:19 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4420:cabc:c8ff:fe8b:4fe6] (orange-tun0-ula.sbone.de [IPv6:fde9:577b:c1a9:4420:cabc:c8ff:fe8b:4fe6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id BA1F2C7706F; Mon, 29 Dec 2014 17:23:16 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: ipsec routing issue From: "Bjoern A. Zeeb" In-Reply-To: <54A17F33.2020708@ish.com.au> Date: Mon, 29 Dec 2014 17:23:15 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <54A17F33.2020708@ish.com.au> To: Aristedes Maniatis X-Mailer: Apple Mail (2.1993) Cc: freebsd-stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 17:23:25 -0000 > On 29 Dec 2014, at 16:20 , Aristedes Maniatis wrote: >=20 > I am at wits end trying to get ipsec working correctly on FreeBSD = 10.1. I've always used a script or helper (like pfsense) to get it = working, and setting it up by hand is much harder than it seems. I've = spent two solid days on this and read everything on the internet... >=20 > So, I've got racoon working. The tunnel authenticates and comes up = just fine. The racoon logs all look good. The other end (Sophos UTM in = my case, which is just linux) also shows everything as up. >=20 > As I understand it, a gif0 tunnel is not needed at all. It should all = just work without one, despite the FreeBSD handbook. But I think I'm = missing something about how gif0 ties into enc0, firewall rules and = routing. So some questions please: If you are trying to setup ipsec tunnel mode between two sites, ignore = gif entirely. > 1. Let's say I'm not using gif0. Should I expect some routes to appear = in the FreeBSD routing table? Or do I need to put them there myself? If = so, what should I be adding? I've seen things like: >=20 > route add $remote_net/24 $remote_internal_address >=20 > But how does the OS know where to send traffic to = $remote_internal_address? Is that something racoon takes care of? No, there are no routes involved; your security policy deals with this. = setkey -DP is your friend. You can have racoon inject the policy for = you if you want, otherwise ipsec.conf is where it goes. > 2. If I am using gif0 do I need to also use gif0 on the other end? = This adds another layer of encapsulation which I need to remove at the = remote firewall don=E2=80=99t I? Yes. > 3. What does this mean: >=20 > ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff >=20 > Is that mask for the remote end or for the local end? Or just to be there. > 4. I'm using pf for a firewall. Other than allowing isakmp, esp and = ipencap through in both directions, can I control the traffic inside the = tunnel? Do I need to add rules for that traffic or will it always go = through? For that you=E2=80=99ll need enc(4) to do it properly. Check the man = page for settings. You might want to change them off the defaults. =E2=80=94=20 Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."