Date: Fri, 02 Jan 2015 12:47:00 +1100 From: Aristedes Maniatis <ari@ish.com.au> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: ipsec routing issue Message-ID: <54A5F894.7040809@ish.com.au> In-Reply-To: <8D8CA37C-B699-467A-A84B-85D05FE0E8B2@lists.zabbadoz.net> References: <54A17F33.2020708@ish.com.au> <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> <54A2367D.8030600@ish.com.au> <8D8CA37C-B699-467A-A84B-85D05FE0E8B2@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/01/2015 10:46am, Bjoern A. Zeeb wrote: > Hint: not sure if you are testing from the gateway itself; if you do you might have to use a specific source address (internal) with ping/telnet/etc. > > Otherwise, read man setkey on the difference of “use” vs. “require” vs. “unique” for the level in the policy part. Thanks for your (and Dewayne's) help with this. Hopefully the insights here will be useful for other people getting setkey to work. What I've discovered so far (in a nutshell) is: * ignore the FreeBSD handbook which talks about gif0. That is wrong for the common use-case of integration with a third party VPN device. * No routing rules should be required, since 'setkey' does it all * Even racoon isn't strictly needed: you can get the whole thing working with just setkey and the 'add' command. But racoon is really the easiest part. * 'spdadd ... ipsec esp/transport/...' is useful for connecting one IP address at each end * 'spdadd ... ipsec esp/tunnel/...' is what you need when creating a VPN tunnel between a network at each end * 'unique' is probably what you want when using racoon and a tunnel * pf (or probably other firewalls) on the endpoint itself is only needed to allow the esp/isakmp traffic out and in. It has no control over what is inside the tunnel because it appears that the ipsec tunnel completely bypasses the routing rules and the packet filter rules in FreeBSD. There is an enc interface (needs a kernel recompile) to help with that. After all this, a large part of my problem is that creating a tunnel between two endpoints doesn't seem to allow traffic from the endpoint itself into the tunnel (despite liberal use of -s and -i to bind traceroute to certain interfaces or IP addresses), so make sure you test from a different device and not the firewall itself to check that you have things working. I still haven't solved how to get traffic from the endpoint machine itself into the tunnel. Maybe I need to create a transport as well as a tunnel? Other then the helpful Bjoern and Dewayne, another useful resource I found was http://linuxgazette.net/126/pfeiffer.html ( a good general explanation of terminology and concepts). Next I'm going to play with strongswan. It has vastly better documentation [1] than racoon/ipsec-tools so perhaps it will be easier that way to resolve my remaining routing issue. [1] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples Thanks Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54A5F894.7040809>