From owner-freebsd-questions@freebsd.org Fri Feb 1 23:00:39 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B63C714C3DC9 for ; Fri, 1 Feb 2019 23:00:39 +0000 (UTC) (envelope-from che@bein.link) Received: from mail.bein.link (bein.link [37.252.124.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9C12286F73 for ; Fri, 1 Feb 2019 23:00:38 +0000 (UTC) (envelope-from che@bein.link) Received: from mail.bein.link (unknown [172.16.32.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.bein.link (Postfix) with ESMTPSA id 5DDCA238382 for ; Fri, 1 Feb 2019 23:00:30 +0000 (UTC) MIME-Version: 1.0 Date: Fri, 01 Feb 2019 23:00:30 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: RainLoop/1.12.1 From: "Maxim Filimonov" Message-ID: Subject: ipsec+gre: no luck accessing a jail To: freebsd-questions@freebsd.org DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=bein.link; s=mail; t=1549062030; bh=+fwd73Q3S2Cywa1SKrA5/dr1qwk=; h=MIME-Version:Date:Content-Type:Content-Transfer-Encoding:From:Message-ID:Subject:To; b=tAv5mWZZmVGT8lTfaqe6N5whZekR9hw70Xaqyqu55rtJFFTCWprkBElQyP2u9eG2ttrfpHNo8vp08wbkYGYlTV3ExE7gCevqqTv+j4javTOnQ9w7iqi8R6WnY5Ol6OC+4VajjNzDOEmH1XVgexXG5ryTUvLm5+x6QRH3Evq/7Co= X-Rspamd-Queue-Id: 9C12286F73 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bein.link header.s=mail header.b=tAv5mWZZ X-Spamd-Result: default: False [-3.70 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[bein.link:s=mail]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[bein.link]; DKIM_TRACE(0.00)[bein.link:+]; MX_GOOD(-0.01)[mail.bein.link]; NEURAL_HAM_SHORT(-0.61)[-0.611,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-0.78)[asn: 196752(-3.93), country: NL(0.02)]; ASN(0.00)[asn:196752, ipnet:37.252.120.0/21, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2019 23:00:39 -0000 Hello,=0A=0AI'm having a slight yet annoying trouble with the said techno= logies.=0AI have a jail:=0A=0A% sudo jls=0A JID IP Address Hostna= me Path=0A 1 172.16.XX.XX %hostname% = /usr/home/jail/foo=0A=0A=0AAll HTTP(s) traffic to the FreeBSD bo= x gets forwarded to that jail:=0A=0A% sudo ipfw list=0A=0A00023 fwd= 172.16.XX.XX ip from any to me 80=0A00024 fwd 172.16.XX.XX ip from any t= o me 443=0A=0A=0AAnd I have set up a GRE= tunnel to my network here at home and protected it with IPSEC.=0ANow, wh= en I try to access the web interfaces available from the jail via the hos= t's hostname, I get "Connection refused" error. I know it means no one is= listening at the GRE interface, but nevertheless.=0AThe point is, when I= disable IPSEC, I can access them via the hostname (something.my.hostname= which points to the box, not the jail). When IPSEC is enabled, no luck h= ere. In both cases, the jail replies to 'curl http://172.16.XX.XX'.=0A=0A= The question is, what can be done to fix that? I'm seeing this as an IPSE= C misconfiguration. Here's my setkey.conf:=0A=0A% cat /usr/local/etc/raco= on/setkey.conf =0Aflush;=0Aspdflush;=0A=0Aspdadd /32 /3= 2 gre -P out ipsec esp/transport/-/require;=0Aspdadd //32 gre -P in ipsec esp/transport/-/re= quire;=0A=0A=0A=0A=0A-----=0Awbr, Maxim V Filimonov