ipsec routing issue

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Mon Dec 29 17:23:25 UTC 2014 

> On 29 Dec 2014, at 16:20 , Aristedes Maniatis <ari at ish.com.au> wrote:
> 
> I am at wits end trying to get ipsec working correctly on FreeBSD 10.1. I've always used a script or helper (like pfsense) to get it working, and setting it up by hand is much harder than it seems. I've spent two solid days on this and read everything on the internet...
> 
> So, I've got racoon working. The tunnel authenticates and comes up just fine. The racoon logs all look good. The other end (Sophos UTM in my case, which is just linux) also shows everything as up.
> 
> As I understand it, a gif0 tunnel is not needed at all. It should all just work without one, despite the FreeBSD handbook. But I think I'm missing something about how gif0 ties into enc0, firewall rules and routing. So some questions please:

If you are trying to setup ipsec tunnel mode between two sites, ignore gif entirely.

> 1. Let's say I'm not using gif0. Should I expect some routes to appear in the FreeBSD routing table? Or do I need to put them there myself? If so, what should I be adding? I've seen things like:
> 
> route add $remote_net/24 $remote_internal_address
> 
> But how does the OS know where to send traffic to $remote_internal_address? Is that something racoon takes care of?

No, there are no routes involved; your security policy deals with this.   setkey -DP is your friend.   You can have racoon inject the policy for you if you want, otherwise ipsec.conf is where it goes.


> 2. If I am using gif0 do I need to also use gif0 on the other end? This adds another layer of encapsulation which I need to remove at the remote firewall don’t I?

Yes.


> 3. What does this mean:
> 
> ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff
> 
> Is that mask for the remote end or for the local end?

Or just to be there.


> 4. I'm using pf for a firewall. Other than allowing isakmp, esp and ipencap through in both directions, can I control the traffic inside the tunnel? Do I need to add rules for that traffic or will it always go through?

For that you’ll need enc(4) to do it properly.  Check the man page for settings.  You might want to change them off the defaults.


— 
Bjoern A. Zeeb                                  Charles Haddon Spurgeon:
"Friendship is one of the sweetest joys of life.  Many might have failed
 beneath the bitterness of their trial  had they not found a friend."

More information about the freebsd-stable mailing list