> On 30 Dec 2014, at 05:22 , Aristedes Maniatis <ari at ish.com.au> wrote: > > On 30/12/2014 4:23am, Bjoern A. Zeeb wrote: >> >>> On 29 Dec 2014, at 16:20 , Aristedes Maniatis <ari at ish.com.au> wrote: >>> > > >>> But how does the OS know where to send traffic to $remote_internal_address? Is that something racoon takes care of? >> >> No, there are no routes involved; your security policy deals with this. setkey -DP is your friend. You can have racoon inject the policy for you if you want, otherwise ipsec.conf is where it goes. >?> Am I right in saying that I would not get this far if setkey wasn't already correct? > > > But still I cannot ping the remote internal IP (203.29.62.129). I also notice that other addresses in the remote network except for the remote firewall itself are not sent through the tunnel. I guess I'll need to add a route for those after all. > > Are you able to suggest my next step in diagnosis. Everything seems to be working... other than traffic going into the tunnel and coming out the other side :-)Hint: not sure if you are testing from the gateway itself; if you do you might have to use a specific source address (internal) with ping/telnet/etc. Otherwise, read man setkey on the difference of ?use? vs. ?require? vs. ?unique? for the level in the policy part. ? Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."
On 2/01/2015 10:46am, Bjoern A. Zeeb wrote:> Hint: not sure if you are testing from the gateway itself; if you do you might have to use a specific source address (internal) with ping/telnet/etc. > > Otherwise, read man setkey on the difference of ?use? vs. ?require? vs. ?unique? for the level in the policy part.Thanks for your (and Dewayne's) help with this. Hopefully the insights here will be useful for other people getting setkey to work. What I've discovered so far (in a nutshell) is: * ignore the FreeBSD handbook which talks about gif0. That is wrong for the common use-case of integration with a third party VPN device. * No routing rules should be required, since 'setkey' does it all * Even racoon isn't strictly needed: you can get the whole thing working with just setkey and the 'add' command. But racoon is really the easiest part. * 'spdadd ... ipsec esp/transport/...' is useful for connecting one IP address at each end * 'spdadd ... ipsec esp/tunnel/...' is what you need when creating a VPN tunnel between a network at each end * 'unique' is probably what you want when using racoon and a tunnel * pf (or probably other firewalls) on the endpoint itself is only needed to allow the esp/isakmp traffic out and in. It has no control over what is inside the tunnel because it appears that the ipsec tunnel completely bypasses the routing rules and the packet filter rules in FreeBSD. There is an enc interface (needs a kernel recompile) to help with that. After all this, a large part of my problem is that creating a tunnel between two endpoints doesn't seem to allow traffic from the endpoint itself into the tunnel (despite liberal use of -s and -i to bind traceroute to certain interfaces or IP addresses), so make sure you test from a different device and not the firewall itself to check that you have things working. I still haven't solved how to get traffic from the endpoint machine itself into the tunnel. Maybe I need to create a transport as well as a tunnel? Other then the helpful Bjoern and Dewayne, another useful resource I found was http://linuxgazette.net/126/pfeiffer.html ( a good general explanation of terminology and concepts). Next I'm going to play with strongswan. It has vastly better documentation [1] than racoon/ipsec-tools so perhaps it will be easier that way to resolve my remaining routing issue. [1] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples Thanks Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A