ipsec+gre: no luck accessing a jail
che at bein.link
Fri Feb 1 23:00:39 UTC 2019
I'm having a slight yet annoying trouble with the said technologies.
I have a jail:
% sudo jls
JID IP Address Hostname Path
1 172.16.XX.XX %hostname% /usr/home/jail/foo
All HTTP(s) traffic to the FreeBSD box gets forwarded to that jail:
% sudo ipfw list
00023 fwd 172.16.XX.XX ip from any to me 80
00024 fwd 172.16.XX.XX ip from any to me 443
<the rest doesn't seem to matter>
And I have set up a GRE tunnel to my network here at home and protected it with IPSEC.
Now, when I try to access the web interfaces available from the jail via the host's hostname, I get "Connection refused" error. I know it means no one is listening at the GRE interface, but nevertheless.
The point is, when I disable IPSEC, I can access them via the hostname (something.my.hostname which points to the box, not the jail). When IPSEC is enabled, no luck here. In both cases, the jail replies to 'curl http://172.16.XX.XX'.
The question is, what can be done to fix that? I'm seeing this as an IPSEC misconfiguration. Here's my setkey.conf:
% cat /usr/local/etc/racoon/setkey.conf
spdadd <host IP>/32 <home IP>/32 gre -P out ipsec esp/transport/<host IP>-<home IP>/require;
spdadd <home IP>/<host IP>/32 gre -P in ipsec esp/transport/<home IP>-<host IP>/require;
wbr, Maxim V Filimonov <che at bein.link>
More information about the freebsd-questions