Freebsd Racoon setkey configuration format?

by DPfiler   Last Updated August 13, 2019 21:00 PM

When configuring Setkey to add Security Policy Database for AWS tunnels I understand that I should let the kernel know what traffic I want to get encrypted. And so I added my internal network to go to the remote VPC (AWS) network and the other way around.

For example: spdadd 25.25.25.64/26 10.1.0.0/24 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use;

spdadd 10.1.0.0/24 25.25.25.64/26 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;

Above is understood.

The confusion I have is that the setkey configuration would not work unless I included the local tunnel ip associated to the remote tunnel ip, such as:

spdadd 169.254.1.2/30 169.254.1.1/30 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use; spdadd 169.254.1.1/30 169.254.1.2/30 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;

Do I have to add the /32 tunnel ip with a cidr of /30 as above or can I change it to 169.254.1.0/30

I prefer not to test this by trial and error.

I am also confused as to why I need the local tunnel ip associated to the VPC network:

spdadd 169.254.1.2/30 10.1.0.0/24 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use; spdadd 10.1.0.0/24 169.254.1.2/30 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;

The biggest confusion I have is that the configuration above works but when I try: Instance with ip 10.1.0.1 AWS side Instance with ip 25.25.25.66 Local network

ping -S 169.254.1.2 10.1.0.1 #Does not work even though I provided the spdadd

ping -S 25.25.25.25.66 10.1.0.1 #Works, as expected because I added the spdadd

Any guidance would be much appreciated!



Related Questions



AWS security rules bug?

Updated October 26, 2017 00:00 AM


How to create FreeBSD AMI on AWS

Updated July 22, 2019 21:00 PM