ipsec+gre: no luck accessing a jail

Maxim Filimonov che at bein.link
Fri Feb 1 23:00:39 UTC 2019


I'm having a slight yet annoying trouble with the said technologies.
I have a jail:

% sudo jls
   JID  IP Address      Hostname                      Path
     1  172.16.XX.XX    %hostname%                 /usr/home/jail/foo

All HTTP(s) traffic to the FreeBSD box gets forwarded to that jail:

% sudo ipfw list
00023 fwd 172.16.XX.XX ip from any to me 80
00024 fwd 172.16.XX.XX ip from any to me 443
<the rest doesn't seem to matter>

And I have set up a GRE tunnel to my network here at home and protected it with IPSEC.
Now, when I try to access the web interfaces available from the jail via the host's hostname, I get "Connection refused" error. I know it means no one is listening at the GRE interface, but nevertheless.
The point is, when I disable IPSEC, I can access them via the hostname (something.my.hostname which points to the box, not the jail). When IPSEC is enabled, no luck here. In both cases, the jail replies to 'curl http://172.16.XX.XX'.

The question is, what can be done to fix that? I'm seeing this as an IPSEC misconfiguration. Here's my setkey.conf:

% cat /usr/local/etc/racoon/setkey.conf 

spdadd <host IP>/32 <home IP>/32 gre -P out ipsec esp/transport/<host IP>-<home IP>/require;
spdadd <home IP>/<host IP>/32 gre -P in ipsec esp/transport/<home IP>-<host IP>/require;

wbr, Maxim V Filimonov <che at bein.link>

More information about the freebsd-questions mailing list