Date: Sun, 3 Feb 2019 22:53:30 +0300 From: Maxim Filimonov <che@bein.link> To: Ernie Luzar <luzar722@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipsec+gre: no luck accessing a jail Message-ID: <6ECEFDEA-2A77-432E-88E4-8123356C2362@bein.link> In-Reply-To: <5C573C85.1080101@gmail.com> References: <a7443085f703fe099114bc86e7ddb60b@bein.link> <5C573C85.1080101@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
If I'm not using GRE or anything, the jail is accessible via the host's = hostname/IP address. If I'm using GRE, but not IPSEC, it's available as well. If I'm using both, it's still accessible via its ip address, but not = through the host's hostname. It's FreeBSD 11.2-RELEASE with the latest patches. If I'm not looking at the host nginx, everything else works like a = charm. wbr, Maxim Filimonov che@bein.link > On 3 Feb 2019, at 22:09, Ernie Luzar <luzar722@gmail.com> wrote: >=20 > Maxim Filimonov wrote: >> Hello, >> I'm having a slight yet annoying trouble with the said technologies. >> I have a jail: >> % sudo jls >> JID IP Address Hostname Path >> 1 172.16.XX.XX %hostname% /usr/home/jail/foo >> All HTTP(s) traffic to the FreeBSD box gets forwarded to that jail: >> % sudo ipfw list >> <ship> >> 00023 fwd 172.16.XX.XX ip from any to me 80 >> 00024 fwd 172.16.XX.XX ip from any to me 443 >> <the rest doesn't seem to matter> >> And I have set up a GRE tunnel to my network here at home and = protected it with IPSEC. >> Now, when I try to access the web interfaces available from the jail = via the host's hostname, I get "Connection refused" error. > I know it = means no one is listening at the GRE interface, but=20 > nevertheless. >> The point is, when I disable IPSEC, I can access them via the = hostname (something.my.hostname which points to the box, not the jail). = When IPSEC is enabled, no luck here. In both cases, the jail replies to = 'curl http://172.16.XX.XX'. >> The question is, what can be done to fix that? I'm seeing this as an = IPSEC misconfiguration. Here's my setkey.conf: >> % cat /usr/local/etc/racoon/setkey.conf flush; >> spdflush; >> spdadd <host IP>/32 <home IP>/32 gre -P out ipsec esp/transport/<host = IP>-<home IP>/require; >> spdadd <home IP>/<host IP>/32 gre -P in ipsec esp/transport/<home = IP>-<host IP>/require; >=20 > Do you have remote access to your jail web server without GRE/IPSEC = being enabled? If not this would indicate you have IPFW rules and or = forward rules problem. >=20 > What version of Freebsd are you running? >=20 > My understanding is GRE does the same thing as ipsec more or less. > Does either one work by its self in your use case?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6ECEFDEA-2A77-432E-88E4-8123356C2362>