From owner-freebsd-stable@FreeBSD.ORG Tue Dec 30 00:31:31 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A286B06 for ; Tue, 30 Dec 2014 00:31:31 +0000 (UTC) Received: from nskntqsrv03p.mx.bigpond.com (nskntqsrv03p.mx.bigpond.com [61.9.168.237]) by mx1.freebsd.org (Postfix) with ESMTP id 06880165A for ; Tue, 30 Dec 2014 00:31:30 +0000 (UTC) Received: from nskntcmgw06p ([61.9.169.166]) by nskntmtas06p.mx.bigpond.com with ESMTP id <20141230001038.HNGQ7536.nskntmtas06p.mx.bigpond.com@nskntcmgw06p>; Tue, 30 Dec 2014 00:10:38 +0000 Received: from hermes.heuristicsystems.com.au ([58.173.108.194]) by nskntcmgw06p with BigPond Outbound id ZcAd1p00Q4BhPve01cAdWj; Tue, 30 Dec 2014 00:10:38 +0000 X-Authority-Analysis: v=2.0 cv=RsdH3VaK c=1 sm=1 a=4+whva0L5pAyL5dznpY5+Q==:17 a=lcq_WjttSJ0A:10 a=IkcTkHD0fZMA:10 a=GHIR_BbyAAAA:8 a=A92cGCtB03wA:10 a=1aJEKak8QkJ7n8bIPpYA:9 a=QEXdDO2ut3YA:10 a=4+whva0L5pAyL5dznpY5+Q==:117 Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id sBU09M92056965 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 30 Dec 2014 11:09:32 +1100 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Message-ID: <54A1ED2F.2070305@heuristicsystems.com.au> Date: Tue, 30 Dec 2014 11:09:19 +1100 From: Dewayne Geraghty User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: ari@ish.com.au Subject: Re: ipsec routing issue References: <54A17F33.2020708@ish.com.au> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 00:31:31 -0000 Ari, Bjoern offers good advise (as usual). This practical example might help, taken from two devices connected to the internet - some numbers and "keys" have obviously been changed to protect the sites concerned. # /etc/ipsec.conf - you should be able to cut/paste and substitute your numbers in this "template" spdadd 101.48.55.78/32[any] 110.92.114.99/32 any -P in ipsec esp/transport/101.48.55.78-110.92.114.99/require; spdadd 110.92.114.99/32[any] 101.48.55.78/32[any] any -P out ipsec esp/transport/110.92.114.99-101.48.55.78/require; spdadd 10.192.0.0/16[any] 10.168.0.0/16[any] any -P in ipsec esp/tunnel/101.48.55.78-110.92.114.99/require; spdadd 10.168.0.0/16[any] 10.192.0.0/16[any] any -P out ipsec esp/tunnel/110.92.114.99-101.48.55.78/require; # These remain the same on the two end-points add 110.92.114.99 101.48.55.78 esp 25131 -E rijndael-cbc "from_here_to_there12345 *"; add 101.48.55.78 110.92.114.99 esp 25136 -E rijndael-cbc "from_there_to_here 12345&"; There is no need to add or change routing nor complicate life with gif. Though you may need to adjust your firewall rules to ipfw add allow esp from 101.48.55.78 to 110.92.114.99 via $internet_interface ipfw add allow esp from 110.92.114.99 to 101.48.55.78 via $internet_interface And it should be noted that when you use enc, that you will need to "ifconfig enc0 up" otherwise its mute. For dynamic addresses, like iphones (ikev1) or windows (ikev2) notebooks, I've found strongswan the tool of choice if you must use the client's native ipsec mechanism. But it is hard to setup, and udp fragmentation may be an issue (as we found because we have large certificates). Merry Christmas, Dewayne.