From owner-freebsd-stable@FreeBSD.ORG Fri Jan 2 01:47:24 2015 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E74CB3CD for ; Fri, 2 Jan 2015 01:47:23 +0000 (UTC) Received: from mail16.tpgi.com.au (mail16.tpgi.com.au [203.12.160.231]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 63A351378 for ; Fri, 2 Jan 2015 01:47:22 +0000 (UTC) X-TPG-Junk-Status: Message not scanned X-TPG-Antivirus: Passed X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Fri, 2 Jan 2015 12:47:12 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail16.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id t021lA6G030778 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 2 Jan 2015 12:47:12 +1100 Received: from ip-211.ish.com.au ([203.29.62.211]:43126 helo=ish.com.au) by fish.ish.com.au with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1Y6rKP-0008UJ-2e; Fri, 02 Jan 2015 12:47:02 +1100 Received: from [10.242.2.6] (HELO Aristedess-MacBook-Pro.local) by ish.com.au (CommuniGate Pro SMTP 6.1c1) with ESMTPS id 17946559; Fri, 02 Jan 2015 12:47:01 +1100 Message-ID: <54A5F894.7040809@ish.com.au> Date: Fri, 02 Jan 2015 12:47:00 +1100 From: Aristedes Maniatis User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" Subject: Re: ipsec routing issue References: <54A17F33.2020708@ish.com.au> <54A2367D.8030600@ish.com.au> <8D8CA37C-B699-467A-A84B-85D05FE0E8B2@lists.zabbadoz.net> In-Reply-To: <8D8CA37C-B699-467A-A84B-85D05FE0E8B2@lists.zabbadoz.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: freebsd-stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jan 2015 01:47:24 -0000 On 2/01/2015 10:46am, Bjoern A. Zeeb wrote: > Hint: not sure if you are testing from the gateway itself; if you do you might have to use a specific source address (internal) with ping/telnet/etc. > > Otherwise, read man setkey on the difference of “use” vs. “require” vs. “unique” for the level in the policy part. Thanks for your (and Dewayne's) help with this. Hopefully the insights here will be useful for other people getting setkey to work. What I've discovered so far (in a nutshell) is: * ignore the FreeBSD handbook which talks about gif0. That is wrong for the common use-case of integration with a third party VPN device. * No routing rules should be required, since 'setkey' does it all * Even racoon isn't strictly needed: you can get the whole thing working with just setkey and the 'add' command. But racoon is really the easiest part. * 'spdadd ... ipsec esp/transport/...' is useful for connecting one IP address at each end * 'spdadd ... ipsec esp/tunnel/...' is what you need when creating a VPN tunnel between a network at each end * 'unique' is probably what you want when using racoon and a tunnel * pf (or probably other firewalls) on the endpoint itself is only needed to allow the esp/isakmp traffic out and in. It has no control over what is inside the tunnel because it appears that the ipsec tunnel completely bypasses the routing rules and the packet filter rules in FreeBSD. There is an enc interface (needs a kernel recompile) to help with that. After all this, a large part of my problem is that creating a tunnel between two endpoints doesn't seem to allow traffic from the endpoint itself into the tunnel (despite liberal use of -s and -i to bind traceroute to certain interfaces or IP addresses), so make sure you test from a different device and not the firewall itself to check that you have things working. I still haven't solved how to get traffic from the endpoint machine itself into the tunnel. Maybe I need to create a transport as well as a tunnel? Other then the helpful Bjoern and Dewayne, another useful resource I found was http://linuxgazette.net/126/pfeiffer.html ( a good general explanation of terminology and concepts). Next I'm going to play with strongswan. It has vastly better documentation [1] than racoon/ipsec-tools so perhaps it will be easier that way to resolve my remaining routing issue. [1] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples Thanks Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A