Date: Tue, 30 Dec 2014 03:20:03 +1100 From: Aristedes Maniatis <ari@ish.com.au> To: freebsd-stable <freebsd-stable@freebsd.org> Subject: ipsec routing issue Message-ID: <54A17F33.2020708@ish.com.au>
next in thread | raw e-mail | index | archive | help
I am at wits end trying to get ipsec working correctly on FreeBSD 10.1. I've always used a script or helper (like pfsense) to get it working, and setting it up by hand is much harder than it seems. I've spent two solid days on this and read everything on the internet... So, I've got racoon working. The tunnel authenticates and comes up just fine. The racoon logs all look good. The other end (Sophos UTM in my case, which is just linux) also shows everything as up. As I understand it, a gif0 tunnel is not needed at all. It should all just work without one, despite the FreeBSD handbook. But I think I'm missing something about how gif0 ties into enc0, firewall rules and routing. So some questions please: 1. Let's say I'm not using gif0. Should I expect some routes to appear in the FreeBSD routing table? Or do I need to put them there myself? If so, what should I be adding? I've seen things like: route add $remote_net/24 $remote_internal_address But how does the OS know where to send traffic to $remote_internal_address? Is that something racoon takes care of? 2. If I am using gif0 do I need to also use gif0 on the other end? This adds another layer of encapsulation which I need to remove at the remote firewall don't I? 3. What does this mean: ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff Is that mask for the remote end or for the local end? 4. I'm using pf for a firewall. Other than allowing isakmp, esp and ipencap through in both directions, can I control the traffic inside the tunnel? Do I need to add rules for that traffic or will it always go through? Thank you for any help! Ari Maniatis -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54A17F33.2020708>