Date: Fri, 18 Aug 2006 13:26:27 -0700 From: Yu-Shun Wang <yushunwa@ISI.EDU> To: Andrew Pantyukhin <infofarmer@FreeBSD.org> Cc: remko@freebsd.org, net@freebsd.org Subject: Re: Routing IPSEC packets? Message-ID: <44E62273.1030402@isi.edu> In-Reply-To: <cb5206420608181258w3c845f93w589525e4c7293816@mail.gmail.com> References: <44E58E9E.1030401@FreeBSD.org> <44E5F19E.9070600@isi.edu> <cb5206420608181236h34c0b85fwffc93bdd6c6979f4@mail.gmail.com> <44E619F7.7030300@isi.edu> <cb5206420608181258w3c845f93w589525e4c7293816@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew Pantyukhin wrote: > On 8/18/06, Yu-Shun Wang <yushunwa@isi.edu> wrote: >> Andrew Pantyukhin wrote: >> > On 8/18/06, Yu-Shun Wang <yushunwa@isi.edu> wrote: <... snip the orig Q, rfc3884 bits, and the gif stuff...> >> You won't have any problem is you are using IP-IP with IPsec >> transport mode on both end. It's been a while, but we did >> try one end with IP-IP+IPsec transport and the other with >> IPsec tunnel mode. (Of course, you will need to make sure >> everything matches, SPI, inner/outer addresses, keys, etc.) >> The rfc is dated Sep. 2004, we probably tried it long before >> that, so it had to be some older FreeBSD versions. We even >> tested with Linux (FreeSWAN back then) as the other end. >> >> I haven't been tracking the gif code, it SHOULD work, but >> if something did changed the packets on the wire, then >> all bets are off. >> >> Hope this clarified a bit. > > Yep, thanks. > > I'm actually trying to marry FreeBSD to PIX. The latter only > supports IPSec (tunnel/transport). I'm still struggling with > firewalls on both sides, but tunnel-tunnel works right now. Yeah, I forgot to say, if you don't need to do routing over the tunnels, I'd just use IPsec tunnel mode at both ends, especially if you use IKE. We were trying to make secure IP overlay networks to support dynamic routing *within* overlays when we found the problem. > I'm a bit puzzled because the howto I see > (http://www.bshell.com/projects/freebsd_pix/) uses gif(4) > with tunnel-mode IPSec. Either something is wrong with > the way things work or the author doesn't understand what > he's doing (or both). The bitter thing is that we have a > similar setup in our handbook: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html *NOTE: I haven't read that link, so below could be way off.* It's a common hack people used to get around the fact that IPsec is not integrated in anyway with IP routing. But if you think about it, IPsec tunnel mode is adding a type of *links* only it's outside the routing tables of the hosts. Adding a gif is just a way of putting in the corresponding routes in the routing table. I am not sure if it's necessary if you are only doing static routes. Though I suppose it depends on the topology and what you really want to do. Also have to do with whether you are using FreeBSD/Linux vs. commercial routers. We tried to cover different types of boxes in that rfc, but I wouldn't be surprised if we miss some different configs. yushun
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44E62273.1030402>