freebsd stable - Dec 2014 - ipsec routing issue

I am at wits end trying to get ipsec working correctly on FreeBSD 10.1. I've
always used a script or helper (like pfsense) to get it working, and setting it
up by hand is much harder than it seems. I've spent two solid days on this
and read everything on the internet...

So, I've got racoon working. The tunnel authenticates and comes up just
fine. The racoon logs all look good. The other end (Sophos UTM in my case, which
is just linux) also shows everything as up.

As I understand it, a gif0 tunnel is not needed at all. It should all just work
without one, despite the FreeBSD handbook. But I think I'm missing something
about how gif0 ties into enc0, firewall rules and routing. So some questions
please:

1. Let's say I'm not using gif0. Should I expect some routes to appear
in the FreeBSD routing table? Or do I need to put them there myself? If so, what
should I be adding? I've seen things like:

route add $remote_net/24 $remote_internal_address

But how does the OS know where to send traffic to $remote_internal_address? Is
that something racoon takes care of?


2. If I am using gif0 do I need to also use gif0 on the other end? This adds
another layer of encapsulation which I need to remove at the remote firewall
don't I?


3. What does this mean:

ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff

Is that mask for the remote end or for the local end?


4. I'm using pf for a firewall. Other than allowing isakmp, esp and ipencap
through in both directions, can I control the traffic inside the tunnel? Do I
need to add rules for that traffic or will it always go through?



Thank you for any help!

Ari Maniatis



-- 
-------------------------->
Aristedes Maniatis
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

> On 29 Dec 2014, at 16:20 , Aristedes Maniatis <ari at ish.com.au>
wrote:
> 
> I am at wits end trying to get ipsec working correctly on FreeBSD 10.1.
I've always used a script or helper (like pfsense) to get it working, and
setting it up by hand is much harder than it seems. I've spent two solid
days on this and read everything on the internet...
> 
> So, I've got racoon working. The tunnel authenticates and comes up just
fine. The racoon logs all look good. The other end (Sophos UTM in my case, which
is just linux) also shows everything as up.
> 
> As I understand it, a gif0 tunnel is not needed at all. It should all just
work without one, despite the FreeBSD handbook. But I think I'm missing
something about how gif0 ties into enc0, firewall rules and routing. So some
questions please:
If you are trying to setup ipsec tunnel mode between two sites, ignore gif
entirely.
> 1. Let's say I'm not using gif0. Should I expect some routes to
appear in the FreeBSD routing table? Or do I need to put them there myself? If
so, what should I be adding? I've seen things like:
> 
> route add $remote_net/24 $remote_internal_address
> 
> But how does the OS know where to send traffic to $remote_internal_address?
Is that something racoon takes care of?
No, there are no routes involved; your security policy deals with this.   setkey
-DP is your friend.   You can have racoon inject the policy for you if you want,
otherwise ipsec.conf is where it goes.

> 2. If I am using gif0 do I need to also use gif0 on the other end? This
adds another layer of encapsulation which I need to remove at the remote
firewall don?t I?
Yes.

> 3. What does this mean:
> 
> ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff
> 
> Is that mask for the remote end or for the local end?
Or just to be there.

> 4. I'm using pf for a firewall. Other than allowing isakmp, esp and
ipencap through in both directions, can I control the traffic inside the tunnel?
Do I need to add rules for that traffic or will it always go through?
For that you?ll need enc(4) to do it properly.  Check the man page for settings.
You might want to change them off the defaults.


? 
Bjoern A. Zeeb                                  Charles Haddon Spurgeon:
"Friendship is one of the sweetest joys of life.  Many might have failed
 beneath the bitterness of their trial  had they not found a friend."