Date: Fri, 01 Feb 2019 23:00:30 +0000 From: "Maxim Filimonov" <che@bein.link> To: freebsd-questions@freebsd.org Subject: ipsec+gre: no luck accessing a jail Message-ID: <a7443085f703fe099114bc86e7ddb60b@bein.link>
next in thread | raw e-mail | index | archive | help
Hello,=0A=0AI'm having a slight yet annoying trouble with the said techno=
logies.=0AI have a jail:=0A=0A% sudo jls=0A JID IP Address Hostna=
me Path=0A 1 172.16.XX.XX %hostname% =
/usr/home/jail/foo=0A=0A=0AAll HTTP(s) traffic to the FreeBSD bo=
x gets forwarded to that jail:=0A=0A% sudo ipfw list=0A<ship>=0A00023 fwd=
172.16.XX.XX ip from any to me 80=0A00024 fwd 172.16.XX.XX ip from any t=
o me 443=0A<the rest doesn't seem to matter>=0A=0AAnd I have set up a GRE=
tunnel to my network here at home and protected it with IPSEC.=0ANow, wh=
en I try to access the web interfaces available from the jail via the hos=
t's hostname, I get "Connection refused" error. I know it means no one is=
listening at the GRE interface, but nevertheless.=0AThe point is, when I=
disable IPSEC, I can access them via the hostname (something.my.hostname=
which points to the box, not the jail). When IPSEC is enabled, no luck h=
ere. In both cases, the jail replies to 'curl http://172.16.XX.XX'.=0A=0A=
The question is, what can be done to fix that? I'm seeing this as an IPSE=
C misconfiguration. Here's my setkey.conf:=0A=0A% cat /usr/local/etc/raco=
on/setkey.conf =0Aflush;=0Aspdflush;=0A=0Aspdadd <host IP>/32 <home IP>/3=
2 gre -P out ipsec esp/transport/<host IP>-<home IP>/require;=0Aspdadd <h=
ome IP>/<host IP>/32 gre -P in ipsec esp/transport/<home IP>-<host IP>/re=
quire;=0A=0A=0A=0A=0A-----=0Awbr, Maxim V Filimonov <che@bein.link>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a7443085f703fe099114bc86e7ddb60b>