Date: Tue, 27 May 2008 17:21:48 -0700 From: Julian Elischer <julian@elischer.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: Tom Judge <tom@tomjudge.com>, net@FreeBSD.org Subject: Re: ICMP Error transmission/response over IPSec tunnels Message-ID: <483CA59C.9020608@elischer.org> In-Reply-To: <20080527211250.M65662@maildrop.int.zabbadoz.net> References: <483C51EE.7040700@tomjudge.com> <20080527201331.L65662@maildrop.int.zabbadoz.net> <483C70A9.2060500@tomjudge.com> <20080527204111.F65662@maildrop.int.zabbadoz.net> <483C7858.5000302@tomjudge.com> <20080527211250.M65662@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote: > On Tue, 27 May 2008, Tom Judge wrote: > >> Bjoern A. Zeeb wrote: >>> On Tue, 27 May 2008, Tom Judge wrote: >>> >>> Hi, >>> >>>> Yes we do indeed see a reply from node b. It is good to here that >>>> this is a known issue. >>>> >>>> The IPSec configuration is a gif ipip tunnel that is then encrypted >>>> with IPSec using esp in tunnel mode as per the ipsec vpn section in >>>> the handbook. >>> >>> 1) if you do not need the ipip tunnel because you need an interface >>> and "link state changes" only go with the IPsec tunnel mode. >>> >>> 2) If you need the gi tunnel on top and routing, use IPsec transport >>> mode. >>> >>> (ignore the handbook, try to understand it;) >> >> I have 13 nodes in a parital mesh running ospf for routing. It would >> not be trivial for me to switch from tunnel to transport mode. Also I >> have not tested quagga in when the ipsec is in transport mode, and I >> guess I do need interfaces to use with quagga. I may test fixing this >> additional overhead, but as they say if it's not broken don't fix it. > > Ok. So basically you have 12 gif tunnels on each node, if it would be > a full mesh. So it's less. > > So a) you have two endpoints for the gif tunnel which are your Router > A, Router B endpoint. So the only thing you would need to secure is > your IPIP (gif) tunnel between two nodes (Router A, B). This is what > transport mode is for. > > Running a traceroute, the IP stack would need to send the icmp ttl > exceeded packet back via the gif tunnel which then would have to be > encrypted. > > To my memory the problem is that this does not work. > > You could try to find out at which layer by running tcpdump on the > (external) interface and the gif interfaces and if you have enc0 to > see if/where the icmp possibly shows up. I did this by running ng_iface into ng_ksocket(UDP) and using transport mode for all the UDP packets I had scripts to do it all, but unfortunately it was at a previous company. I allocated a number to each site from 1 to 8 and the endpoints inside the tunnels were 10.42.ME.YOU 10.42.YOU.ME. The scripts were identical on each machine, and to add a new machine I just added it to the list in the script, distributed the new script, and ran it again on each machine.. > > /bz >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?483CA59C.9020608>