Date: Sat, 26 Dec 2015 21:24:34 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-jail@freebsd.org, freebsd-net@freebsd.org Subject: ipsec tunnel and vnet jails: routing, howto? Message-ID: <E105CD2A-042C-42E6-9AD0-A24C22F6C37E@ellael.org>
next in thread | raw e-mail | index | archive | help
Hi, I am currently stuck, somehow, and I do need your input. Thus, let me = explain, what I do want to achieve: I do have two servers connected via an ipsec/tunnel ... [A] dead:beef:1234:abcd::1 <=E2=80=94> dead:feed:abcd:1234::1 = [B] =E2=80=A6 which is sending all traffic destined for = dead:beef:1234:abcd::/64 and dead:feed:abcd:1234::/64 through the = tunnel, and vice versa. That did run perfectly well during the last years until I decided to = give VNET jails a try. Previously, some of my old fashioned jails got an = IPv6 address attached like dead:beef:1234:abcd:1:2::3, and I could reach = that address from the remote server without any routing/re-directing or = alike, necessary. Now, after having moved those jails to VNET jails = (having those addresses bound to their epairXXb interfaces), I cannot = reach those addresses within those jails any longer. =46rom my point of view and understanding this must have to do with lack = of proper routing, but I am not sure, if that is correct, thus my = questions to the experts: 1) Is my assumption correct, that my tunnel is "ending" after having = passed my firewalls at each server, *bevor* decrypting its ESP traffic = into its final destination (yes, I do have pf rules to allow for esp = traffic to pass my outer internet facing interface)? 2) If that is true, racoon has to decide where to deliver those packets, = finally? 3) If that is true, I do have an issue with routing that *cannot* be = solved by pf firewall rules, right? 4) If that is true, what do I have to look for? What am I missing? How = can I route incoming and finally decrypted traffic to its final = destination within a VNET jail? 5) Do I need to look for a completely different approach? Every hint is = highly welcome. Thanks in advance and with kind regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E105CD2A-042C-42E6-9AD0-A24C22F6C37E>