ipsec+gre: no luck accessing a jail

Maxim Filimonov che at bein.link
Sun Feb 3 19:54:03 UTC 2019

If I'm not using GRE or anything, the jail is accessible via the host's hostname/IP address.
If I'm using GRE, but not IPSEC, it's available as well.
If I'm using both, it's still accessible via its ip address, but not through the host's hostname.

It's FreeBSD 11.2-RELEASE with the latest patches.

If I'm not looking at the host nginx, everything else works like a charm.

wbr, Maxim Filimonov
che at bein.link

> On 3 Feb 2019, at 22:09, Ernie Luzar <luzar722 at gmail.com> wrote:
> Maxim Filimonov wrote:
>> Hello,
>> I'm having a slight yet annoying trouble with the said technologies.
>> I have a jail:
>> % sudo jls
>>   JID  IP Address      Hostname                      Path
>>     1  172.16.XX.XX    %hostname%                 /usr/home/jail/foo
>> All HTTP(s) traffic to the FreeBSD box gets forwarded to that jail:
>> % sudo ipfw list
>> <ship>
>> 00023 fwd 172.16.XX.XX ip from any to me 80
>> 00024 fwd 172.16.XX.XX ip from any to me 443
>> <the rest doesn't seem to matter>
>> And I have set up a GRE tunnel to my network here at home and protected it with IPSEC.
>> Now, when I try to access the web interfaces available from the jail via the host's hostname, I get "Connection refused" error. > I know it means no one is listening at the GRE interface, but 
> nevertheless.
>> The point is, when I disable IPSEC, I can access them via the hostname (something.my.hostname which points to the box, not the jail). When IPSEC is enabled, no luck here. In both cases, the jail replies to 'curl http://172.16.XX.XX'.
>> The question is, what can be done to fix that? I'm seeing this as an IPSEC misconfiguration. Here's my setkey.conf:
>> % cat /usr/local/etc/racoon/setkey.conf flush;
>> spdflush;
>> spdadd <host IP>/32 <home IP>/32 gre -P out ipsec esp/transport/<host IP>-<home IP>/require;
>> spdadd <home IP>/<host IP>/32 gre -P in ipsec esp/transport/<home IP>-<host IP>/require;
> Do you have remote access to your jail web server without GRE/IPSEC being enabled? If not this would indicate you have IPFW rules and or forward rules problem.
> What version of Freebsd are you running?
> My understanding is GRE does the same thing as ipsec more or less.
> Does either one work by its self in your use case?

More information about the freebsd-questions mailing list