From owner-freebsd-stable@FreeBSD.ORG Fri Jan 2 02:19:19 2015 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9CFABD63 for ; Fri, 2 Jan 2015 02:19:19 +0000 (UTC) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3F67B188B for ; Fri, 2 Jan 2015 02:19:18 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 353DC25D3A82; Fri, 2 Jan 2015 02:19:15 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 725ABC770F3; Fri, 2 Jan 2015 02:19:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id S3C6AF9_1EDv; Fri, 2 Jan 2015 02:19:12 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4410:5c3c:d71c:3abc:d59] (unknown [IPv6:fde9:577b:c1a9:4410:5c3c:d71c:3abc:d59]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 0748BC770F2; Fri, 2 Jan 2015 02:19:11 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: ipsec routing issue From: "Bjoern A. Zeeb" In-Reply-To: <54A5F894.7040809@ish.com.au> Date: Fri, 2 Jan 2015 02:18:39 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <14CA1D02-E3B9-4955-8997-8C73930ADBA8@lists.zabbadoz.net> References: <54A17F33.2020708@ish.com.au> <54A2367D.8030600@ish.com.au> <8D8CA37C-B699-467A-A84B-85D05FE0E8B2@lists.zabbadoz.net> <54A5F894.7040809@ish.com.au> To: Aristedes Maniatis X-Mailer: Apple Mail (2.1993) Cc: freebsd-stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jan 2015 02:19:19 -0000 > On 02 Jan 2015, at 01:47 , Aristedes Maniatis wrote: >=20 > On 2/01/2015 10:46am, Bjoern A. Zeeb wrote: >> Hint: not sure if you are testing from the gateway itself; if you = do you might have to use a specific source address (internal) with = ping/telnet/etc. >>=20 >> Otherwise, read man setkey on the difference of =E2=80=9Cuse=E2=80=9D = vs. =E2=80=9Crequire=E2=80=9D vs. =E2=80=9Cunique=E2=80=9D for the level = in the policy part. >=20 > Thanks for your (and Dewayne's) help with this. Hopefully the insights = here will be useful for other people getting setkey to work. What I've = discovered so far (in a nutshell) is: >=20 > * ignore the FreeBSD handbook which talks about gif0. That is wrong = for the common use-case of integration with a third party VPN device. yes > * No routing rules should be required, since =E2=80=98setkey' does it = all it=E2=80=99s not actually setkey; that=E2=80=99s just the tool; it=E2=80= =99s the SPD (security policy database) in the kernel that you populate = (or dump) with setkey (or racoon, or other tools) that does it. > * Even racoon isn't strictly needed: you can get the whole thing = working with just setkey and the 'add' command. But racoon is really the = easiest part. You want racoon (or similar) to avoid pre-shared keys. > * =E2=80=98spdadd ... ipsec esp/transport/...' is useful for = connecting one IP address at each end Or when building a routable overlay network using gif tunnel that so = many people do (because the handbook still tells them or because they = actually need to run a link-state routing protocol) > * 'spdadd ... ipsec esp/tunnel/...' is what you need when creating a = VPN tunnel between a network at each end > * =E2=80=98unique' is probably what you want when using racoon and a = tunnel you sure you are good with just unique and not =E2=80=9Crequire=E2=80=9D? > * pf (or probably other firewalls) on the endpoint itself is only = needed to allow the esp/isakmp traffic out and in. It has no control = over what is inside the tunnel because it appears that the ipsec tunnel = completely bypasses the routing rules and the packet filter rules in = FreeBSD. There is an enc interface (needs a kernel recompile) to help = with that. >=20 > After all this, a large part of my problem is that creating a tunnel = between two endpoints doesn=E2=80=99t seem to allow traffic from the = endpoint itself into the tunnel (despite liberal use of -s and -i to = bind traceroute to certain interfaces or IP addresses), so make sure you = test from a different device and not the firewall itself to check that = you have things working. traceroute is a bad idea to test; it relies on ICMP messages that are = often not send by ipsec endpoints if received from a tunnel as they = cannot guarantee that the reply packet would make it back encrypted thus = possibly leaking confidential payload of the original packet. > I still haven't solved how to get traffic from the endpoint machine = itself into the tunnel. Maybe I need to create a transport as well as a = tunnel? No it should just work, as long as your source and destination addresses = are part of the policy; if you want your external inetrfaces (tunnel = endpoints) to also communicate securely, things get indeed more complex = as you=E2=80=99ll need to make sure that you don=E2=80=99t recurses (try = to get your ike and esp traffic caught by a tunnel definition again). =E2=80=94=20 Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."