From owner-freebsd-net Tue Mar 6 21:12: 0 2001 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 57C3337B718 for ; Tue, 6 Mar 2001 21:11:56 -0800 (PST) (envelope-from larse@ISI.EDU) Received: from [66.27.64.64] (we-66-27-64-64.we.mediaone.net [66.27.64.64]) by boreas.isi.edu (8.11.2/8.11.2) with ESMTP id f275BrG26359; Tue, 6 Mar 2001 21:11:53 -0800 (PST) User-Agent: Microsoft-Entourage/9.0.2509 Date: Tue, 06 Mar 2001 21:11:51 -0800 Subject: Re: IPSEC + natd + IPFW From: Lars Eggert To: Stephen Cimarelli Cc: Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 1:43 PM +1100 3/7/01, Stephen Cimarelli wrote: > On 07-Mar-01 Lars Eggert wrote: >> Do you use IPsec tunnel mode, or IPsec transport mode + gif tunnels to do >> the tunneling? > > Well this is where it starts to get funny, I have 2 HOWTOs > Both HOWTO's use gif tunnels, but > the FreeBSD IPsec mini-HOWTO > uses IPsec transport + gif tunnels > and > The IPSEC VPN tunnel on freeBSD 4.x howto > uses IPsec tunnel + gif tunnels > ------------------------------ > For me only IPsec tunnel + gif tunnels works. First off, I have never used IPsec together with NAT. But it seems to me that you can set up one after the other. If you use IPsec tunnels, you shouldn't need gif tunnels at all. If you do, that is probably a sign that your routes aren't set up correctly. IPsec tunnels are configured in the SA database, and don't show up in the routing table. IPsec processing occurs before routing, and this works for simple cases. (E.g. "take all traffic that matches this pattern, and apply this tunnel-mode SA".) I suspect that you run into the same problem with IPsec tunnels that we (= the X-Bone project) ran into a while ago, when we tried to get dynamic routing to work over IPsec tunnels: It doesn't work - because IPsec tunnels aren't represented in the routing table, and thus are invisible to gated/mrtd. We solved this by using IPIP tunnels (= gif devices) together with IPsec transport mode. Tunneling is done first, and the transport mode IPsec SA is applied after IPIP encapsulation. In this case, your tunnels are represented in the routing table, and appear to be regular network interfaces (unlike IPsec tunnels.) I'm not sure how NAT fits into this picture though. It's probably based on packet matching/rewriting (like ipfw), in which case your IPsec tunnel mode SA probably won't be applied to the rewritten packet, and it falls on the floor. There's a good chance that IPIP tunnels still catch and forward them, however - routing is done after rewriting, as far as I remember. The other benefit of using IPIP tunnels + IPsec transport mode is that you can configure and debug the tunneling first, and then add IPsec processing after you've got the tunneling up. More details on this are in "Use of IPSEC Transport Mode for Virtual Networks" at ftp://ftp.isi.edu/internet-drafts/draft-touch-ipsec-vpn-01.txt Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message