From owner-freebsd-net@freebsd.org Sat Dec 26 20:24:44 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F35CA53B47; Sat, 26 Dec 2015 20:24:44 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [87.98.149.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2269D174E; Sat, 26 Dec 2015 20:24:43 +0000 (UTC) (envelope-from trashcan@ellael.org) From: Michael Grimm Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: ipsec tunnel and vnet jails: routing, howto? Message-Id: Date: Sat, 26 Dec 2015 21:24:34 +0100 To: freebsd-jail@freebsd.org, freebsd-net@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) X-Virus-Scanned: clamav-milter 0.99 at mail X-Virus-Status: Clean X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2015 20:24:44 -0000 Hi, I am currently stuck, somehow, and I do need your input. Thus, let me = explain, what I do want to achieve: I do have two servers connected via an ipsec/tunnel ... [A] dead:beef:1234:abcd::1 <=E2=80=94> dead:feed:abcd:1234::1 = [B] =E2=80=A6 which is sending all traffic destined for = dead:beef:1234:abcd::/64 and dead:feed:abcd:1234::/64 through the = tunnel, and vice versa. That did run perfectly well during the last years until I decided to = give VNET jails a try. Previously, some of my old fashioned jails got an = IPv6 address attached like dead:beef:1234:abcd:1:2::3, and I could reach = that address from the remote server without any routing/re-directing or = alike, necessary. Now, after having moved those jails to VNET jails = (having those addresses bound to their epairXXb interfaces), I cannot = reach those addresses within those jails any longer. =46rom my point of view and understanding this must have to do with lack = of proper routing, but I am not sure, if that is correct, thus my = questions to the experts: 1) Is my assumption correct, that my tunnel is "ending" after having = passed my firewalls at each server, *bevor* decrypting its ESP traffic = into its final destination (yes, I do have pf rules to allow for esp = traffic to pass my outer internet facing interface)? 2) If that is true, racoon has to decide where to deliver those packets, = finally? 3) If that is true, I do have an issue with routing that *cannot* be = solved by pf firewall rules, right? 4) If that is true, what do I have to look for? What am I missing? How = can I route incoming and finally decrypted traffic to its final = destination within a VNET jail? 5) Do I need to look for a completely different approach? Every hint is = highly welcome. Thanks in advance and with kind regards, Michael