Date: Sun, 27 Dec 2015 19:14:44 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-jail@freebsd.org, freebsd-net@freebsd.org Subject: Re: ipsec tunnel and vnet jails: routing, howto? Message-ID: <6BC88EA5-D440-418B-88D8-3C90EFF177E5@ellael.org> In-Reply-To: <567FFD92.2050909@freebsd.org> References: <E105CD2A-042C-42E6-9AD0-A24C22F6C37E@ellael.org> <567FFD92.2050909@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer <julian@freebsd.org> wrote: >=20 > On 27/12/2015 4:24 AM, Michael Grimm wrote: >> I am currently stuck, somehow, and I do need your input. Thus, let me = explain, what I do want to achieve: >>=20 >> I do have two servers connected via an ipsec/tunnel ... >> [A] dead:beef:1234:abcd::1 <=E2=80=94> dead:feed:abcd:1234::1 = [B] >> =E2=80=A6 which is sending all traffic destined for = dead:beef:1234:abcd::/64 and dead:feed:abcd:1234::/64 through the = tunnel, and vice versa. >>=20 >> That did run perfectly well during the last years until I decided to = give VNET jails a try. Previously, some of my old fashioned jails got an = IPv6 address attached like dead:beef:1234:abcd:1:2::3, and I could reach = that address from the remote server without any routing/re-directing or = alike, necessary. Now, after having moved those jails to VNET jails = (having those addresses bound to their epairXXb interfaces), I cannot = reach those addresses within those jails any longer. >>=20 >> >=46rom my point of view and understanding this must have to do with = lack of proper routing, but I am not sure, if that is correct, thus my = questions to the experts: >>=20 >> 1) Is my assumption correct, that my tunnel is "ending" after having = passed my firewalls at each server, *bevor* decrypting its ESP traffic = into its final destination (yes, I do have pf rules to allow for esp = traffic to pass my outer internet facing interface)? >>=20 >> 2) If that is true, racoon has to decide where to deliver those = packets, finally? >>=20 >> 3) If that is true, I do have an issue with routing that *cannot* be = solved by pf firewall rules, right? >>=20 >> 4) If that is true, what do I have to look for? What am I missing? = How can I route incoming and finally decrypted traffic to its final = destination within a VNET jail? >>=20 >> 5) Do I need to look for a completely different approach? Every hint = is highly welcome. >=20 > basically you have to treat the jails as if they are totally separate = machines that are reached through the vpn endpoints instead of being the = endpoints themselves. > This will require a different setup. for example your tunnel will = need to be exactly that a tunnel and not just an encapsulation. And you = will need full routing information for the other end at each end. Thanks for your input. In the meantime I got it running, somehow. The = "somehow" refers to: I am not sure if that's the way its supposed to be. What I did (I do only show the part of host [A], the other host is = configured accordingly): 1. ipsec/tunnel between [A] dead:beef:1234:abcd::1 <=E2=80=94> = dead:feed:abcd:1234::1 [B] /path-to-racoon/setkey.conf: spdadd dead:beef:1234:abcd::/56 dead:feed:abcd:1234:1:2::3 any = -P out ipsec = esp/tunnel/dead:beef:1234:abcd::1-dead:feed:abcd:1234::1/require;=20 spdadd dead:feed:abcd:1234::/56 dead:beef:1234:abcd:1:2::3 any = -P in ipsec = esp/tunnel/dead:feed:abcd:1234::1-dead:beef:1234:abcd::1/require; 2. routing at [A]: /etc/rc.conf: ipv6_static_routes=3D"jail1"=20 # that's for the route from host system [A] into jail1 with IPv6 = address of fd00:ffff:ffff:ffff:aaaa::1 =E2=80=94> ipv6_route_mail=3D"-host dead:beef:1234:abcd:1:2::3 = -host fd00:ffff:ffff:ffff:aaaa::1" =20 /etc/jail.conf: # # host dependent global settings # $ip6prefix =3D "dead:beef:1234:abcd"; $ip6prefix_remote_host =3D "dead:feed:abcd:1234"; # # global jail settings # host.hostname =3D "${name}"; path =3D "/usr/home/jails/${name}"; mount.fstab =3D "/etc/fstab.${name}"; exec.consolelog =3D = "/var/log/jail_${name}_console.log"; vnet =3D "new"; vnet.interface =3D "epair${jailID}b"; exec.clean; mount.devfs; persist; # # network settings to apply/destroy during start/stop of every = jail # exec.prestart =3D "sleep 2"; exec.prestart +=3D "ifconfig epair${jailID} create = up"; exec.prestart +=3D "ifconfig bridge0 addm = epair${jailID}a"; exec.start =3D "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start +=3D "/sbin/ifconfig epair${jailID}b = inet ${ip4_addr}"; exec.start +=3D "/sbin/ifconfig epair${jailID}b = inet6 ${ip6_addr}"; exec.start +=3D "/sbin/route add default -gateway = 10.x.x.254"; exec.start +=3D "/sbin/route add -inet6 default = -gateway fd00:ffff:ffff:ffff:aaaa::254"; exec.stop =3D "/bin/sh /etc/rc.shutdown"; exec.poststop =3D "ifconfig epair${jailID}a destroy"; # # individual jail settings # mail { $jailID =3D 1; $ip4_addr =3D 10.x.x.1; $ip6_addr =3D fd00:ffff:ffff:ffff:aaaa::1/64; exec.start +=3D "/sbin/ifconfig epair${jailID}b = inet6 ${ip6prefix}:1:2::3/56 alias"; =E2=80=94> # that's for the route to remote host = dead:feed:abcd:1234:1:2::3 at tunnel end point [B] out of jail1 exec.start +=3D "/sbin/route add -6 = ${ip6prefix_remote_host}:1:2::3 fd00:ffff:ffff:ffff:aaaa::254"; exec.start +=3D "/bin/sh /etc/rc"; } That is working well, after racoon has established the tunnel.=20 *But* unlikely what I have observed before, the very first contact to = the remote server's [B] jail out of a jail at [A] doesn't trigger racoon = to establish the tunnel. Before, that happened instantaneously, but now = I do need to to some "tricks" with ping6s and/or restarting racoon at = the host system. I haven't found out yet what the cause is =E2=80=A6 I = am sure that I need to learn much more regarding routing. Every feedback = is highly welcome. Thanks and regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6BC88EA5-D440-418B-88D8-3C90EFF177E5>