From owner-freebsd-questions Tue Mar 18 12:26:52 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0590837B401 for ; Tue, 18 Mar 2003 12:26:45 -0800 (PST) Received: from internal.mail.uk.tiscali.com (internal.mail.uk.tiscali.com [212.74.96.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE6EA43F85 for ; Tue, 18 Mar 2003 12:26:43 -0800 (PST) (envelope-from chris.scott@uk.tiscali.com) Received: from [10.44.16.196] (helo=viper) by internal.mail.uk.tiscali.com with esmtp (Exim 4.12) id 18vNfW-0000LZ-00 for freebsd-questions@freebsd.org; Tue, 18 Mar 2003 20:26:42 +0000 Message-ID: <002f01c2ed8c$aea2bba0$c4102c0a@viper> From: "chris scott" To: References: <005801c2ed6f$be607360$0a0114ac@home.bjwcs.com> Subject: Re: ipsec and gre tunnels Date: Tue, 18 Mar 2003 20:26:39 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG it always confused me why you would have two tinnels, however gif and ipsec transport works fine. I just wanted to know why gre didnt work in the same way as at presnt it makes no sense. ----- Original Message ----- From: "Brent Wiese" To: "'chris scott'" ; Sent: Tuesday, March 18, 2003 4:59 PM Subject: RE: ipsec and gre tunnels > It's a common mistake to do both gif and ipsec. > > I realize many of the handbooks you find say to do it. They're wrong. > They've been contacted and most won't change them, which just misleads > more people. > > Use ipsec in tunnel mode instead of transport and ditch gif. > > > > > Hi, > > > > I currently have a vpn setup between a few lans using > > freebsd, ipsec and gif tunnels It all works perfectly. > > However I noticed that a new pseudo device for gre tunnels. > > As the overhead it supposed to be less for this type of > > tunnel I decided to test things out. I cvs and made world and > > kernel on the two test machines. No problems here. I tested > > original tunnels, all working ok and racoon was doing key > > exchange no problems. I setup the test gre tunnel with the > > following syntax > > > > > > > > /sbin/ifconfig gre0 create tunnel hostA hostB > > /sbin/ifconfig gre0 192.168.250.34 192.168.250.33 netmask > > 255.255.255.252 > > /sbin/route add 192.168.250.33/30 -interface gre0 > > /sbin/ifconfig gre0 up > > > > > > Cool the tunnel is up and seems to work ok. Now I implement > > the following ipsec policy which is just an extension of what > > I was using before for the gif tunnels > > > > > > spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec > > esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in > > ipsec esp/transport//require; > > > > # these 2 rules are so i can connect to my ethernet dsl modem > > # without the traffic getting encrypted, which is bad > > > > spdadd 10.0.0.0/24 10.0.0.0/24 gre -P out none ; > > spdadd 10.0.0.0/24 10.0.0.0/24 gre -P in none ; > > > > spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec > > esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in > > ipsec esp/transport//require; > > > > > > Hmm, now the tunnel doesn't work. Key exchange seems to be ok > > as the gif tunnel is still working. Does anyone have any idea > > why the tunnel should stop working? The man page for setkey > > as a mysterious reference under the upperspec description > > > > We have many protocols in > > /etc/protocols, but protocols except of TCP, UDP and > > ICMP may not > > be suitable to use with IPsec. You have to consider > > and be care- > > ful to use them. icmp tcp udp all protocols > > > > Could gre be one of these protocols and if so why? > > > > > > root on gateway# ifconfig gre0 > > gre0: flags=9051 mtu 1476 > > tunnel inet hostB --> hostA > > inet 192.168.250.34 --> 192.168.250.33 netmask > > 0xfffffffc root on gateway# ifconfig gif0 > > gif0: flags=8051 mtu 1280 > > tunnel inet hostB --> hostA > > inet 192.168.250.1 --> 192.168.250.2 netmask > > 0xfffffffc root on gateway# ping 192.168.250.33 PING > > 192.168.250.33 (192.168.250.33): 56 data bytes ^C > > --- 192.168.250.33 ping statistics --- > > 6 packets transmitted, 0 packets received, 100% packet loss > > root on gateway# ping 192.168.250.1 PING 192.168.250.1 > > (192.168.250.1): 56 data bytes ^C > > --- 192.168.250.1 ping statistics --- > > 5 packets transmitted, 0 packets received, 100% packet loss > > root on gateway# ping 192.168.250.2 PING 192.168.250.2 > > (192.168.250.2): 56 data bytes 64 bytes from 192.168.250.2: > > icmp_seq=0 ttl=64 time=37.682 ms 64 bytes from 192.168.250.2: > > icmp_seq=1 ttl=64 time=37.543 ms 64 bytes from 192.168.250.2: > > icmp_seq=2 ttl=64 time=37.981 ms 64 bytes from 192.168.250.2: > > icmp_seq=3 ttl=64 time=37.159 ms ^C > > --- 192.168.250.2 ping statistics --- > > 4 packets transmitted, 4 packets received, 0% packet loss > > round-trip min/avg/max/stddev = 37.159/37.591/37.981/0.296 ms > > root on gateway# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 > > in ipsec > > esp/transport//require > > spid=1004 seq=5 pid=75744 > > refcnt=1 > > 10.0.0.0/24[any] 10.0.0.0/24[any] gre > > in none > > spid=1006 seq=4 pid=75744 > > refcnt=1 > > 0.0.0.0/0[any] 0.0.0.0/0[any] gre > > in ipsec > > esp/transport//require > > spid=1008 seq=3 pid=75744 > > refcnt=1 > > 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 > > out ipsec > > esp/transport//require > > spid=1003 seq=2 pid=75744 > > refcnt=1 > > 10.0.0.0/24[any] 10.0.0.0/24[any] gre > > out none > > spid=1005 seq=1 pid=75744 > > refcnt=1 > > 0.0.0.0/0[any] 0.0.0.0/0[any] gre > > out ipsec > > esp/transport//require > > spid=1007 seq=0 pid=75744 > > refcnt=1 > > root on gateway# setkey -D > > hostB hostA > > esp mode=transport spi=226290556(0x0d7ceb7c) > > reqid=0(0x00000000) > > E: 3des-cbc 9ef25cfa f136ecac e6548771 b6675ea5 > > 2427613a d8079969 > > A: hmac-sha1 fe01a845 3c3288ae 329bdd2e bff2bdb8 19224348 > > seq=0x00000000 replay=4 flags=0x00000000 state=mature > > created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003 > > diff: 1(s) hard: 30(s) soft: 24(s) > > last: hard: 0(s) soft: 0(s) > > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 0 hard: 0 soft: 0 > > sadb_seq=3 pid=75781 refcnt=1 > > hostB hostA > > esp mode=transport spi=257583206(0x0f5a6866) > > reqid=0(0x00000000) > > E: 3des-cbc 1786ff2d 76e3b6bb 69b21e0e e0bdd83e > > a993c063 7fb17d15 > > A: hmac-sha1 53985951 232ffa3b 915f8aea 921c775a 00b20759 > > seq=0x00000009 replay=4 flags=0x00000000 state=dying > > created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003 > > diff: 26(s) hard: 30(s) soft: 24(s) > > last: Mar 5 12:13:52 2003 hard: 0(s) soft: 0(s) > > current: 1264(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 9 hard: 0 soft: 0 > > sadb_seq=2 pid=75781 refcnt=3 > > hostA hostB > > esp mode=transport spi=68215519(0x0410e2df) > > reqid=0(0x00000000) > > E: 3des-cbc ed219090 5d6f888a e8802825 721304be > > 93e378a2 0b0386c1 > > A: hmac-sha1 d5cbeafd bc53fd2b 1fc793e3 a7ba645f acd15afb > > seq=0x00000000 replay=4 flags=0x00000000 state=mature > > created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003 > > diff: 1(s) hard: 30(s) soft: 24(s) > > last: hard: 0(s) soft: 0(s) > > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 0 hard: 0 soft: 0 > > sadb_seq=1 pid=75781 refcnt=1 > > hostA hostB > > esp mode=transport spi=29715957(0x01c56df5) > > reqid=0(0x00000000) > > E: 3des-cbc ba32a2af 132d3b56 59b26bcf bb094266 > > 2092da1c c598213b > > A: hmac-sha1 9132f5a9 c5eebd8f cb1bb01d 681a4ff6 1bd042f3 > > seq=0x0000000a replay=4 flags=0x00000000 state=dying > > created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003 > > diff: 26(s) hard: 30(s) soft: 24(s) > > last: Mar 5 12:14:00 2003 hard: 0(s) soft: 0(s) > > current: 1716(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 10 hard: 0 soft: 0 > > sadb_seq=0 pid=75781 refcnt=1 > > root on gateway# > > > > > > > > > > > > > > root on gateway# setkey -FP; setkey -F ; ping 192.168.250.33 > > PING 192.168.250.33 (192.168.250.33): 56 data bytes 64 bytes > > from 192.168.250.33: icmp_seq=0 ttl=64 time=35.470 ms 64 > > bytes from 192.168.250.33: icmp_seq=1 ttl=64 time=33.644 ms > > 64 bytes from 192.168.250.33: icmp_seq=2 ttl=64 time=33.889 > > ms 64 bytes from 192.168.250.33: icmp_seq=3 ttl=64 > > time=33.670 ms 64 bytes from 192.168.250.33: icmp_seq=4 > > ttl=64 time=34.687 ms 64 bytes from 192.168.250.33: > > icmp_seq=5 ttl=64 time=33.907 ms ^C > > --- 192.168.250.33 ping statistics --- > > 6 packets transmitted, 6 packets received, 0% packet loss > > round-trip min/avg/max/stddev = 33.644/34.211/35.470/0.661 ms > > > > root on gateway# ping 192.168.250.2 > > PING 192.168.250.2 (192.168.250.2): 56 data bytes > > 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=35.012 ms > > 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=34.409 ms > > 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=34.092 ms ^C > > --- 192.168.250.2 ping statistics --- > > 3 packets transmitted, 3 packets received, 0% packet loss > > round-trip min/avg/max/stddev = 34.092/34.504/35.012/0.382 ms > > > > root on gateway# setkey -f /etc/ipsec.conf > > > > root on gateway# ping 192.168.250.2 > > PING 192.168.250.2 (192.168.250.2): 56 data bytes > > 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=37.455 ms > > 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=37.240 ms > > 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=37.909 ms ^C > > --- 192.168.250.2 ping statistics --- > > 3 packets transmitted, 3 packets received, 0% packet loss > > round-trip min/avg/max/stddev = 37.240/37.535/37.909/0.279 ms > > root on gateway# ping 192.168.250.33 PING 192.168.250.33 > > (192.168.250.33): 56 data bytes ^C > > --- 192.168.250.33 ping statistics --- > > 23 packets transmitted, 0 packets received, 100% packet loss regards > > > > > > Chris Scott > > MK NOC > > > > 01908223901 > > > > > > IMPORTANT NOTICE: > > This email may be confidential, may be legally privileged, > > and is for the intended recipient only. Access, disclosure, > > copying, distribution, or reliance on any of it by anyone > > else is prohibited and may be a criminal offence. Please > > delete if obtained in error and email confirmation to the sender. > > > > > > regards > > > > > > Chris Scott > > > > > > > > > > IMPORTANT NOTICE: > > This email may be confidential, may be legally privileged, > > and is for the intended recipient only. Access, disclosure, > > copying, distribution, or reliance on any of it by anyone > > else is prohibited and may be a criminal offence. Please > > delete if obtained in error and email confirmation to the sender. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message