Date: Sun, 27 Dec 2015 19:14:44 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-jail@freebsd.org, freebsd-net@freebsd.org Subject: Re: ipsec tunnel and vnet jails: routing, howto? Message-ID: <6BC88EA5-D440-418B-88D8-3C90EFF177E5@ellael.org> In-Reply-To: <567FFD92.2050909@freebsd.org> References: <E105CD2A-042C-42E6-9AD0-A24C22F6C37E@ellael.org> <567FFD92.2050909@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer <julian@freebsd.org> wrote:
>=20
> On 27/12/2015 4:24 AM, Michael Grimm wrote:
>> I am currently stuck, somehow, and I do need your input. Thus, let me =
explain, what I do want to achieve:
>>=20
>> I do have two servers connected via an ipsec/tunnel ...
>> [A] dead:beef:1234:abcd::1 <=E2=80=94> dead:feed:abcd:1234::1 =
[B]
>> =E2=80=A6 which is sending all traffic destined for =
dead:beef:1234:abcd::/64 and dead:feed:abcd:1234::/64 through the =
tunnel, and vice versa.
>>=20
>> That did run perfectly well during the last years until I decided to =
give VNET jails a try. Previously, some of my old fashioned jails got an =
IPv6 address attached like dead:beef:1234:abcd:1:2::3, and I could reach =
that address from the remote server without any routing/re-directing or =
alike, necessary. Now, after having moved those jails to VNET jails =
(having those addresses bound to their epairXXb interfaces), I cannot =
reach those addresses within those jails any longer.
>>=20
>> >=46rom my point of view and understanding this must have to do with =
lack of proper routing, but I am not sure, if that is correct, thus my =
questions to the experts:
>>=20
>> 1) Is my assumption correct, that my tunnel is "ending" after having =
passed my firewalls at each server, *bevor* decrypting its ESP traffic =
into its final destination (yes, I do have pf rules to allow for esp =
traffic to pass my outer internet facing interface)?
>>=20
>> 2) If that is true, racoon has to decide where to deliver those =
packets, finally?
>>=20
>> 3) If that is true, I do have an issue with routing that *cannot* be =
solved by pf firewall rules, right?
>>=20
>> 4) If that is true, what do I have to look for? What am I missing? =
How can I route incoming and finally decrypted traffic to its final =
destination within a VNET jail?
>>=20
>> 5) Do I need to look for a completely different approach? Every hint =
is highly welcome.
>=20
> basically you have to treat the jails as if they are totally separate =
machines that are reached through the vpn endpoints instead of being the =
endpoints themselves.
> This will require a different setup. for example your tunnel will =
need to be exactly that a tunnel and not just an encapsulation. And you =
will need full routing information for the other end at each end.
Thanks for your input. In the meantime I got it running, somehow. The =
"somehow" refers to: I am not sure if that's the way its supposed to be.
What I did (I do only show the part of host [A], the other host is =
configured accordingly):
1. ipsec/tunnel between [A] dead:beef:1234:abcd::1 <=E2=80=94> =
dead:feed:abcd:1234::1 [B]
/path-to-racoon/setkey.conf:
spdadd dead:beef:1234:abcd::/56 dead:feed:abcd:1234:1:2::3 any =
-P out ipsec =
esp/tunnel/dead:beef:1234:abcd::1-dead:feed:abcd:1234::1/require;=20
spdadd dead:feed:abcd:1234::/56 dead:beef:1234:abcd:1:2::3 any =
-P in ipsec =
esp/tunnel/dead:feed:abcd:1234::1-dead:beef:1234:abcd::1/require;
2. routing at [A]:
/etc/rc.conf:
ipv6_static_routes=3D"jail1"=20
# that's for the route from host system [A] into jail1 with IPv6 =
address of fd00:ffff:ffff:ffff:aaaa::1
=E2=80=94> ipv6_route_mail=3D"-host dead:beef:1234:abcd:1:2::3 =
-host fd00:ffff:ffff:ffff:aaaa::1"
=20
/etc/jail.conf:
#
# host dependent global settings
#
$ip6prefix =3D "dead:beef:1234:abcd";
$ip6prefix_remote_host =3D "dead:feed:abcd:1234";
#
# global jail settings
#
host.hostname =3D "${name}";
path =3D "/usr/home/jails/${name}";
mount.fstab =3D "/etc/fstab.${name}";
exec.consolelog =3D =
"/var/log/jail_${name}_console.log";
vnet =3D "new";
vnet.interface =3D "epair${jailID}b";
exec.clean;
mount.devfs;
persist;
#
# network settings to apply/destroy during start/stop of every =
jail
#
exec.prestart =3D "sleep 2";
exec.prestart +=3D "ifconfig epair${jailID} create =
up";
exec.prestart +=3D "ifconfig bridge0 addm =
epair${jailID}a";
exec.start =3D "/sbin/ifconfig lo0 127.0.0.1 up";
exec.start +=3D "/sbin/ifconfig epair${jailID}b =
inet ${ip4_addr}";
exec.start +=3D "/sbin/ifconfig epair${jailID}b =
inet6 ${ip6_addr}";
exec.start +=3D "/sbin/route add default -gateway =
10.x.x.254";
exec.start +=3D "/sbin/route add -inet6 default =
-gateway fd00:ffff:ffff:ffff:aaaa::254";
exec.stop =3D "/bin/sh /etc/rc.shutdown";
exec.poststop =3D "ifconfig epair${jailID}a destroy";
#
# individual jail settings
#
mail {
$jailID =3D 1;
$ip4_addr =3D 10.x.x.1;
$ip6_addr =3D fd00:ffff:ffff:ffff:aaaa::1/64;
exec.start +=3D "/sbin/ifconfig epair${jailID}b =
inet6 ${ip6prefix}:1:2::3/56 alias";
=E2=80=94> # that's for the route to remote host =
dead:feed:abcd:1234:1:2::3 at tunnel end point [B] out of jail1
exec.start +=3D "/sbin/route add -6 =
${ip6prefix_remote_host}:1:2::3 fd00:ffff:ffff:ffff:aaaa::254";
exec.start +=3D "/bin/sh /etc/rc";
}
That is working well, after racoon has established the tunnel.=20
*But* unlikely what I have observed before, the very first contact to =
the remote server's [B] jail out of a jail at [A] doesn't trigger racoon =
to establish the tunnel. Before, that happened instantaneously, but now =
I do need to to some "tricks" with ping6s and/or restarting racoon at =
the host system. I haven't found out yet what the cause is =E2=80=A6 I =
am sure that I need to learn much more regarding routing. Every feedback =
is highly welcome.
Thanks and regards,
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6BC88EA5-D440-418B-88D8-3C90EFF177E5>