I have a working
At this point, all core functionality seems to work*. For security and portability, I think it would be nice to move the installation from the main host environment into a jail. However, the strongswan service doesn't even start. The relevant error messages extracted from daemon.log seem to be:
It looks like the
I've tried a few options in /etc/jail.conf, including:
I don't think
Should this configuration -- strongswan running in a jail -- be generally expected to work? If so, what am I missing?
Thanks,
Daniel
*Outbound NAT didn't work until I set
ipsec connection between two sites running FreeBSD 13.3. The connection tunnels all traffic from the clients at site A (10.X.X.X) to site B (192.68.X.X, WAN). Clients at site A access the internet through a gateway (NAT) at site B.At this point, all core functionality seems to work*. For security and portability, I think it would be nice to move the installation from the main host environment into a jail. However, the strongswan service doesn't even start. The relevant error messages extracted from daemon.log seem to be:
Code:
charon[51477]: 00[LIB] loading feature CUSTOM:libcharon in plugin 'charon'
charon[51477]: 00[LIB] loading feature NONCE_GEN in plugin 'nonce'
charon[51477]: 00[LIB] loading feature RNG:RNG_WEAK in plugin 'openssl'
charon[51477]: 00[LIB] loading feature RNG:RNG_STRONG in plugin 'random'
charon[51477]: 00[LIB] loading feature RNG:RNG_STRONG in plugin 'openssl'
charon[51477]: 00[LIB] loading feature RNG:RNG_TRUE in plugin 'random'
charon[51477]: 00[LIB] loading feature CUSTOM:libcharon-sa-managers in plugin 'charon'
charon[51477]: 00[LIB] loading feature HASHER:HASH_SHA1 in plugin 'sha1'
charon[51477]: 00[LIB] loading feature HASHER:HASH_SHA1 in plugin 'openssl'
charon[51477]: 00[LIB] loading feature CUSTOM:libcharon-receiver in plugin 'charon'
charon[51477]: 00[LIB] loading feature CUSTOM:socket in plugin 'socket-default'
charon[51477]: 00[LIB] feature CUSTOM:socket in plugin 'socket-default' has unmet soft dependency: CUSTOM:kernel-ipsec
charon[51477]: 00[NET] could not open socket: Protocol not supported
charon[51477]: 00[NET] could not open IPv6 socket, IPv6 disabled
charon[51477]: 00[NET] installing IKE bypass policy failedIt looks like the
ipsec socket is the issue. I've tried a few options in /etc/jail.conf, including:
Code:
allow.raw_sockets;
allow.socket_af;
allow.reserved_ports;I don't think
ipsec creates any specific /dev device, but I've tried passing additional resources to the jail using /etc/devfs.rules:
Code:
/dev/pf
/dev/enc
/dev/Should this configuration -- strongswan running in a jail -- be generally expected to work? If so, what am I missing?
Thanks,
Daniel
*Outbound NAT didn't work until I set
sysctl net.inet.ip.forwarding=1.