From owner-freebsd-stable@FreeBSD.ORG Thu Jan 1 23:47:23 2015 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B7AA3DE for ; Thu, 1 Jan 2015 23:47:23 +0000 (UTC) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E63FE12F9 for ; Thu, 1 Jan 2015 23:47:22 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 5EE9725D37C7; Thu, 1 Jan 2015 23:47:19 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 6E5BAC7709A; Thu, 1 Jan 2015 23:47:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id EVgV9c8o7isZ; Thu, 1 Jan 2015 23:47:16 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4410:5c3c:d71c:3abc:d59] (unknown [IPv6:fde9:577b:c1a9:4410:5c3c:d71c:3abc:d59]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id A152AC77070; Thu, 1 Jan 2015 23:47:14 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: ipsec routing issue From: "Bjoern A. Zeeb" In-Reply-To: <54A2367D.8030600@ish.com.au> Date: Thu, 1 Jan 2015 23:46:41 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <8D8CA37C-B699-467A-A84B-85D05FE0E8B2@lists.zabbadoz.net> References: <54A17F33.2020708@ish.com.au> <54A2367D.8030600@ish.com.au> To: Aristedes Maniatis X-Mailer: Apple Mail (2.1993) Cc: freebsd-stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jan 2015 23:47:23 -0000 > On 30 Dec 2014, at 05:22 , Aristedes Maniatis wrote: >=20 > On 30/12/2014 4:23am, Bjoern A. Zeeb wrote: >>=20 >>> On 29 Dec 2014, at 16:20 , Aristedes Maniatis = wrote: >>>=20 >=20 >=20 >>> But how does the OS know where to send traffic to = $remote_internal_address? Is that something racoon takes care of? >>=20 >> No, there are no routes involved; your security policy deals with = this. setkey -DP is your friend. You can have racoon inject the = policy for you if you want, otherwise ipsec.conf is where it goes. >=20 =E2=80=A6 > Am I right in saying that I would not get this far if setkey wasn't = already correct? >=20 >=20 > But still I cannot ping the remote internal IP (203.29.62.129). I also = notice that other addresses in the remote network except for the remote = firewall itself are not sent through the tunnel. I guess I'll need to = add a route for those after all. >=20 > Are you able to suggest my next step in diagnosis. Everything seems to = be working... other than traffic going into the tunnel and coming out = the other side :-) Hint: not sure if you are testing from the gateway itself; if you do = you might have to use a specific source address (internal) with = ping/telnet/etc. Otherwise, read man setkey on the difference of =E2=80=9Cuse=E2=80=9D = vs. =E2=80=9Crequire=E2=80=9D vs. =E2=80=9Cunique=E2=80=9D for the level = in the policy part. =E2=80=94=20 Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."