Am 26.07.2017 um 12:20 schrieb Andrey V. Elsukov:
On 26.07.2017 12:47, Muenz, Michael wrote:
When I type setkey -PD I get:
10.24.66.0/24[any] 10.26.1.0/24[any] any
in ipsec
esp/tunnel/81.24.74.3-213.244.192.191/unique:2
created: Jul 26 11:03:53 2017 lastused: Jul 26 11:40:02 2017
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=5 seq=1 pid=4292
refcnt=1
10.26.1.0/24[any] 10.24.66.0/24[any] any
out ipsec
esp/tunnel/213.244.192.191-81.24.74.3/unique:2
created: Jul 26 11:03:53 2017 lastused: Jul 26 11:40:02 2017
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=6 seq=0 pid=4292
refcnt=1
So it's in use.
But when I type in your command it just "hangs". Not the system, but the
command doesn't get completed.
root@PB-FW1-FRA:~ # setkey -v -c spdadd -4 10.26.2.0/24 10.24.66.0/24
any -P out ipsec esp/tunnel/213.244.192.191-81.24.74.3/require ;
<waiting cursor>
You need to do it this way:
1. setkey -v -c <press Enter>
2. type the policy specification
3. press Enter and then press ^D
# setkey -v -c
spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec
esp/tunnel/213.244.192.191-81.24.74.3/unique:2 ;
^D
Also, since your policies uses "unique" level, you need to specify the
same level using "unique:N" syntax.
Also if it is interesting to you, I patched ipfw_nat to be able specify
needed direction. The patch is untested at all :)
https://people.freebsd.org/~ae/nat_in_out.diff
You need to rebuild ipfw(4) and ipfw_nat(4) kernel modules, and also
ipfw(8) binary.
With this patch you can use the following commands:
ipfw nat 1 config ip 10.26.1.1 log
ipfw add 179 nat-out 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1
ipfw add 179 nat-in 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
or these:
ipfw nat 1 config ip 10.26.1.1 log reverse
ipfw add 179 nat-in 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1
ipfw add 179 nat-out 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
Or maybe guys from OpenSense can help with testing.
You are a genius! Many thanks for you patience with me! Now I have a
running setup and it also works with unpatched OPNsense kernel:
kldload ipfw_nat
ipfw nat 1 config ip 10.26.1.1 log
ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0
ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
setkey -PD | grep unique
setkey -v -c
spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec
esp/tunnel/213.244.192.191-81.24.74.3/unique:X ;
^D
Thats all! I got it running, did a reboot and then it failed everytime
until I saw the number after unique changes.
How is this number calculated? I need this for templating the script.
Thanks for you help, you made my day/week/month/year :)
Michael
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
