ipsec+gre: no luck accessing a jail

Ernie Luzar luzar722 at gmail.com
Sun Feb 3 19:10:01 UTC 2019

Maxim Filimonov wrote:
> Hello,
> I'm having a slight yet annoying trouble with the said technologies.
> I have a jail:
> % sudo jls
>    JID  IP Address      Hostname                      Path
>      1  172.16.XX.XX    %hostname%                 /usr/home/jail/foo
> All HTTP(s) traffic to the FreeBSD box gets forwarded to that jail:
> % sudo ipfw list
> <ship>
> 00023 fwd 172.16.XX.XX ip from any to me 80
> 00024 fwd 172.16.XX.XX ip from any to me 443
> <the rest doesn't seem to matter>
> And I have set up a GRE tunnel to my network here at home and protected it with IPSEC.
> Now, when I try to access the web interfaces available from the jail via the host's hostname, I get "Connection refused" error. 
> > I know it means no one is listening at the GRE interface, but 
> The point is, when I disable IPSEC, I can access them via the hostname (something.my.hostname which points to the box, not the jail). 
> When IPSEC is enabled, no luck here. In both cases, the jail replies to 'curl http://172.16.XX.XX'.
> The question is, what can be done to fix that? I'm seeing this as an IPSEC misconfiguration. Here's my setkey.conf:
> % cat /usr/local/etc/racoon/setkey.conf 
> flush;
> spdflush;
> spdadd <host IP>/32 <home IP>/32 gre -P out ipsec esp/transport/<host IP>-<home IP>/require;
> spdadd <home IP>/<host IP>/32 gre -P in ipsec esp/transport/<home IP>-<host IP>/require;

Do you have remote access to your jail web server without GRE/IPSEC 
being enabled? If not this would indicate you have IPFW rules and or 
forward rules problem.

What version of Freebsd are you running?

My understanding is GRE does the same thing as ipsec more or less.
Does either one work by its self in your use case?

More information about the freebsd-questions mailing list