FreeBSD Mail Archives

Date:      Fri, 22 Nov 2002 11:49:17 -0500
From:      Lars Eggert <larse@ISI.EDU>
To:        Helge Oldach <freebsd-stable-21nov02@oldach.net>
Cc:        Cambria Mike <mcambria@avaya.com>, archie@dellroad.org, guido@gvr.org, dkelly@hiwaay.net, hausen@punkt.de, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG
Subject:   Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A ND QUESTIONS
Message-ID:  <3DDE600D.1080509@isi.edu>
In-Reply-To: <200211221611.gAMGBO9j093412@sep.oldach.net>
References:  <200211221611.gAMGBO9j093412@sep.oldach.net>


[-- Attachment #1 --]
Helge Oldach wrote:

> OK, I should have been more precise in stating the assumption of an IKE
> framework (racoon). IKE should be taught that gif+transport == tunnel. :-)
> That's where it breaks. It will however work fine with static keys.

The KAME implementation notes have some info on draft-touch in section 
4.8, specifically IKE: 
http://orange.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION?rev=1.320

Using IKE over the tunnel works fine, if both ends implement 
draft-touch. If one doesn't, there is an issue though.

And actually, IPIP+transport isn't exactly equivalent to tunnel mode in 
most current implementations. With tunnel mode, your SAs match on the 
inner header (inner IP plus you have access to the transport header) on 
both inbound and outbound. With IPIP+transport, your SAs match on the 
outer IP header, and can't currently match on transport headers.

RFC2401 is currently under revision, and the details of this are 
enthusiastically discussed (strong opinions on both sides.)

> Most examples on the net for setting up IPSec using racoon or isakmpd
> do it like this, for both tunnel and transport mode. Looking at the
> details in the tunnel mode case one can see that the gif holds more like
> a "routing placeholder" to get the routing table for the encapsulated
> network correct. That's the only purpose I can see. A loopback interface
> could do the same (doesn't work on FreeBSD for some reason), as could
> static ARP entries using the MAC address of the encapsulating network's
> default gateway.

Exactly, these tutorials are broken. They create an IPIP virtual 
topology using IPIP for routing, and a second parallel topology using 
IPsec tunnel mode for encryption. Things appear to work fine, until the 
two topologies get out of sync. Then forwarding fails, or your packets 
go silently unencrypted.

> In practice the problem presented in the paper is commonly solved in
> a different fashion: By using GRE or IPIP encapsulation *plus* tunnel
> mode. 

Why tunnel mode, specifically?

Thanks,
Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	�0�80���fEr��t��cvE��.�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��
��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i�N0L0)U"0 �010UPrivateLabel1-2970U�0�0U0
	*�H��
��1�KG]�q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�Υ����bb��0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�1��0��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0	+��0	*�H��
	1	*�H��
0	*�H��
	1
021122164917Z0#	*�H��
	1�o|$����la1ɧ{]�J0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0��*�H��
	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0
	*�H��
�iz�gQ�Y�]���ޕ��{��q�&�\�&��X�,��Q�gd��M#��Թ�?�R�`&QF\����0��
��5rC�~H��B/�����!%y�h�r�j��{w@L��'l�p���Ҭt�b5�2
-2�Hķ�f��5���OYo��Snd��Î�w����B�C�O�P���:"�f�>� �~�"T3�*/��,#U�\ ���Ʀ�Η��_E�\��
����&T����$+�� ����

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DDE600D.1080509>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation