Freebsd Racoon setkey configuration?

tpfiler

New Member


Messages: 7

When configuring Setkey to add Security Policy Database for AWS tunnels I understand that I should let the kernel know what traffic I want to get encrypted.
And so I added my internal network to go to the remote VPC (AWS) network and the other way around.

For example:
spdadd 25.25.25.64/26 10.1.0.0/24 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use;
spdadd 10.1.0.0/24 25.25.25.64/26 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;
Above is understood.

The confusion I have is that the setkey configuration would not work unless I included the local tunnel ip associated to the remote tunnel ip, such as:
spdadd 169.254.1.2/30 169.254.1.1/30 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use;
spdadd 169.254.1.1/30 169.254.1.2/30 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;


Do I have to add the /32 tunnel ip with a cidr of /30 as above or can I change it to 169.254.1.0/30

I prefer not to test this by trial and error.
I am also confused as to why I need the local tunnel ip associated to the VPC network:
spdadd 169.254.1.2/30 10.1.0.0/24 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use;
spdadd 10.1.0.0/24 169.254.1.2/30 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;


The biggest confusion I have is that the configuration above works but when I try:

Instance with ip 10.1.0.1 AWS side Instance with ip 25.25.25.66 Local network
ping -S 169.254.1.2 10.1.0.1 #Does not work even though I provided the spdadd
ping -S 25.25.25.25.66 10.1.0.1 #Works, as expected because I added the spdadd
Any guidance would be much appreciated!
 
Top