Date: Tue, 18 Mar 2003 20:26:39 -0000 From: "chris scott" <chris.scott@uk.tiscali.com> To: <freebsd-questions@freebsd.org> Subject: Re: ipsec and gre tunnels Message-ID: <002f01c2ed8c$aea2bba0$c4102c0a@viper> References: <005801c2ed6f$be607360$0a0114ac@home.bjwcs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
it always confused me why you would have two tinnels, however gif and ipsec transport works fine. I just wanted to know why gre didnt work in the same way as at presnt it makes no sense. ----- Original Message ----- From: "Brent Wiese" <brently@bjwcs.com> To: "'chris scott'" <chris.scott@uk.tiscali.com>; <freebsd-questions@freebsd.org> Sent: Tuesday, March 18, 2003 4:59 PM Subject: RE: ipsec and gre tunnels > It's a common mistake to do both gif and ipsec. > > I realize many of the handbooks you find say to do it. They're wrong. > They've been contacted and most won't change them, which just misleads > more people. > > Use ipsec in tunnel mode instead of transport and ditch gif. > > > > > Hi, > > > > I currently have a vpn setup between a few lans using > > freebsd, ipsec and gif tunnels It all works perfectly. > > However I noticed that a new pseudo device for gre tunnels. > > As the overhead it supposed to be less for this type of > > tunnel I decided to test things out. I cvs and made world and > > kernel on the two test machines. No problems here. I tested > > original tunnels, all working ok and racoon was doing key > > exchange no problems. I setup the test gre tunnel with the > > following syntax > > > > > > > > /sbin/ifconfig gre0 create tunnel hostA hostB > > /sbin/ifconfig gre0 192.168.250.34 192.168.250.33 netmask > > 255.255.255.252 > > /sbin/route add 192.168.250.33/30 -interface gre0 > > /sbin/ifconfig gre0 up > > > > > > Cool the tunnel is up and seems to work ok. Now I implement > > the following ipsec policy which is just an extension of what > > I was using before for the gif tunnels > > > > > > spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec > > esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in > > ipsec esp/transport//require; > > > > # these 2 rules are so i can connect to my ethernet dsl modem > > # without the traffic getting encrypted, which is bad > > > > spdadd 10.0.0.0/24 10.0.0.0/24 gre -P out none ; > > spdadd 10.0.0.0/24 10.0.0.0/24 gre -P in none ; > > > > spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec > > esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in > > ipsec esp/transport//require; > > > > > > Hmm, now the tunnel doesn't work. Key exchange seems to be ok > > as the gif tunnel is still working. Does anyone have any idea > > why the tunnel should stop working? The man page for setkey > > as a mysterious reference under the upperspec description > > > > We have many protocols in > > /etc/protocols, but protocols except of TCP, UDP and > > ICMP may not > > be suitable to use with IPsec. You have to consider > > and be care- > > ful to use them. icmp tcp udp all protocols > > > > Could gre be one of these protocols and if so why? > > > > > > root on gateway# ifconfig gre0 > > gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476 > > tunnel inet hostB --> hostA > > inet 192.168.250.34 --> 192.168.250.33 netmask > > 0xfffffffc root on gateway# ifconfig gif0 > > gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 > > tunnel inet hostB --> hostA > > inet 192.168.250.1 --> 192.168.250.2 netmask > > 0xfffffffc root on gateway# ping 192.168.250.33 PING > > 192.168.250.33 (192.168.250.33): 56 data bytes ^C > > --- 192.168.250.33 ping statistics --- > > 6 packets transmitted, 0 packets received, 100% packet loss > > root on gateway# ping 192.168.250.1 PING 192.168.250.1 > > (192.168.250.1): 56 data bytes ^C > > --- 192.168.250.1 ping statistics --- > > 5 packets transmitted, 0 packets received, 100% packet loss > > root on gateway# ping 192.168.250.2 PING 192.168.250.2 > > (192.168.250.2): 56 data bytes 64 bytes from 192.168.250.2: > > icmp_seq=0 ttl=64 time=37.682 ms 64 bytes from 192.168.250.2: > > icmp_seq=1 ttl=64 time=37.543 ms 64 bytes from 192.168.250.2: > > icmp_seq=2 ttl=64 time=37.981 ms 64 bytes from 192.168.250.2: > > icmp_seq=3 ttl=64 time=37.159 ms ^C > > --- 192.168.250.2 ping statistics --- > > 4 packets transmitted, 4 packets received, 0% packet loss > > round-trip min/avg/max/stddev = 37.159/37.591/37.981/0.296 ms > > root on gateway# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 > > in ipsec > > esp/transport//require > > spid=1004 seq=5 pid=75744 > > refcnt=1 > > 10.0.0.0/24[any] 10.0.0.0/24[any] gre > > in none > > spid=1006 seq=4 pid=75744 > > refcnt=1 > > 0.0.0.0/0[any] 0.0.0.0/0[any] gre > > in ipsec > > esp/transport//require > > spid=1008 seq=3 pid=75744 > > refcnt=1 > > 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 > > out ipsec > > esp/transport//require > > spid=1003 seq=2 pid=75744 > > refcnt=1 > > 10.0.0.0/24[any] 10.0.0.0/24[any] gre > > out none > > spid=1005 seq=1 pid=75744 > > refcnt=1 > > 0.0.0.0/0[any] 0.0.0.0/0[any] gre > > out ipsec > > esp/transport//require > > spid=1007 seq=0 pid=75744 > > refcnt=1 > > root on gateway# setkey -D > > hostB hostA > > esp mode=transport spi=226290556(0x0d7ceb7c) > > reqid=0(0x00000000) > > E: 3des-cbc 9ef25cfa f136ecac e6548771 b6675ea5 > > 2427613a d8079969 > > A: hmac-sha1 fe01a845 3c3288ae 329bdd2e bff2bdb8 19224348 > > seq=0x00000000 replay=4 flags=0x00000000 state=mature > > created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003 > > diff: 1(s) hard: 30(s) soft: 24(s) > > last: hard: 0(s) soft: 0(s) > > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 0 hard: 0 soft: 0 > > sadb_seq=3 pid=75781 refcnt=1 > > hostB hostA > > esp mode=transport spi=257583206(0x0f5a6866) > > reqid=0(0x00000000) > > E: 3des-cbc 1786ff2d 76e3b6bb 69b21e0e e0bdd83e > > a993c063 7fb17d15 > > A: hmac-sha1 53985951 232ffa3b 915f8aea 921c775a 00b20759 > > seq=0x00000009 replay=4 flags=0x00000000 state=dying > > created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003 > > diff: 26(s) hard: 30(s) soft: 24(s) > > last: Mar 5 12:13:52 2003 hard: 0(s) soft: 0(s) > > current: 1264(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 9 hard: 0 soft: 0 > > sadb_seq=2 pid=75781 refcnt=3 > > hostA hostB > > esp mode=transport spi=68215519(0x0410e2df) > > reqid=0(0x00000000) > > E: 3des-cbc ed219090 5d6f888a e8802825 721304be > > 93e378a2 0b0386c1 > > A: hmac-sha1 d5cbeafd bc53fd2b 1fc793e3 a7ba645f acd15afb > > seq=0x00000000 replay=4 flags=0x00000000 state=mature > > created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003 > > diff: 1(s) hard: 30(s) soft: 24(s) > > last: hard: 0(s) soft: 0(s) > > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 0 hard: 0 soft: 0 > > sadb_seq=1 pid=75781 refcnt=1 > > hostA hostB > > esp mode=transport spi=29715957(0x01c56df5) > > reqid=0(0x00000000) > > E: 3des-cbc ba32a2af 132d3b56 59b26bcf bb094266 > > 2092da1c c598213b > > A: hmac-sha1 9132f5a9 c5eebd8f cb1bb01d 681a4ff6 1bd042f3 > > seq=0x0000000a replay=4 flags=0x00000000 state=dying > > created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003 > > diff: 26(s) hard: 30(s) soft: 24(s) > > last: Mar 5 12:14:00 2003 hard: 0(s) soft: 0(s) > > current: 1716(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 10 hard: 0 soft: 0 > > sadb_seq=0 pid=75781 refcnt=1 > > root on gateway# > > > > > > > > > > > > > > root on gateway# setkey -FP; setkey -F ; ping 192.168.250.33 > > PING 192.168.250.33 (192.168.250.33): 56 data bytes 64 bytes > > from 192.168.250.33: icmp_seq=0 ttl=64 time=35.470 ms 64 > > bytes from 192.168.250.33: icmp_seq=1 ttl=64 time=33.644 ms > > 64 bytes from 192.168.250.33: icmp_seq=2 ttl=64 time=33.889 > > ms 64 bytes from 192.168.250.33: icmp_seq=3 ttl=64 > > time=33.670 ms 64 bytes from 192.168.250.33: icmp_seq=4 > > ttl=64 time=34.687 ms 64 bytes from 192.168.250.33: > > icmp_seq=5 ttl=64 time=33.907 ms ^C > > --- 192.168.250.33 ping statistics --- > > 6 packets transmitted, 6 packets received, 0% packet loss > > round-trip min/avg/max/stddev = 33.644/34.211/35.470/0.661 ms > > > > root on gateway# ping 192.168.250.2 > > PING 192.168.250.2 (192.168.250.2): 56 data bytes > > 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=35.012 ms > > 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=34.409 ms > > 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=34.092 ms ^C > > --- 192.168.250.2 ping statistics --- > > 3 packets transmitted, 3 packets received, 0% packet loss > > round-trip min/avg/max/stddev = 34.092/34.504/35.012/0.382 ms > > > > root on gateway# setkey -f /etc/ipsec.conf > > > > root on gateway# ping 192.168.250.2 > > PING 192.168.250.2 (192.168.250.2): 56 data bytes > > 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=37.455 ms > > 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=37.240 ms > > 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=37.909 ms ^C > > --- 192.168.250.2 ping statistics --- > > 3 packets transmitted, 3 packets received, 0% packet loss > > round-trip min/avg/max/stddev = 37.240/37.535/37.909/0.279 ms > > root on gateway# ping 192.168.250.33 PING 192.168.250.33 > > (192.168.250.33): 56 data bytes ^C > > --- 192.168.250.33 ping statistics --- > > 23 packets transmitted, 0 packets received, 100% packet loss regards > > > > > > Chris Scott > > MK NOC > > > > 01908223901 > > > > > > IMPORTANT NOTICE: > > This email may be confidential, may be legally privileged, > > and is for the intended recipient only. Access, disclosure, > > copying, distribution, or reliance on any of it by anyone > > else is prohibited and may be a criminal offence. Please > > delete if obtained in error and email confirmation to the sender. > > > > > > regards > > > > > > Chris Scott > > > > > > > > > > IMPORTANT NOTICE: > > This email may be confidential, may be legally privileged, > > and is for the intended recipient only. Access, disclosure, > > copying, distribution, or reliance on any of it by anyone > > else is prohibited and may be a criminal offence. Please > > delete if obtained in error and email confirmation to the sender. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002f01c2ed8c$aea2bba0$c4102c0a>