Site Navigation

Date:      Tue, 09 Apr 2002 09:18:50 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        Dennis Pedersen <trm@daydreamer.dk>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPsec tunnel mode
Message-ID:  <3CB3146A.7080906@isi.edu>
References:  <MPENKFCCIIDAJKJJOLBHMEAJCNAA.tariq@inty.net> <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <00a801c1dfaf$925aa750$0301a8c0@dpws>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Dennis Pedersen wrote:
> But uhm is there a 'simple' way of doing this? (as in just adding the IP of
> the other ends gif interface as destinatio in my routes?
> The setup today i an exact copy of (other IP's of course)
> www.freebsddiary.org/ipsec-tunnel.php
> This works just fine besides til problem with my routes, arcording to the
> draft IPIP is the solution. My Question is now how do i set up with an IPIP
> tunnel?
> On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my
> point of view it looks kind of complicated. Can it be made any simpler?
> If this is the way to do it,  can i run mutible natd on both my external
> interface and the virtual gif interface (the howto creates the gif tunnel
> and diverts all trafic into this tunnel with natd on both ends) and how?
> (because i can't really se how the ipfw add divert natd can tell the
> difference between te 2 sessions of natd)

Both setup instructions you gave URLs for are broken in the respect that 
they tell you to set up IPIP tunnels and IPsec tunnel mode SAs in 
parallel. IPsec tunnel mode under KAME does not use gif interfaces. This 
works in some situations, because the interaction of side effects is 
just right.

These instructions in fact set up a secure and a non-secure path between 
the two security gateways, and work by intercepting packets sent over 
the non-secure path and pushing them into the secure tunnel. This can 
have all sorts of interesting failure modes.

Setting up the other approach (IPIP tunnel + IPsec transport mode) works 
by first setting up the tunnels (see the gifconfig/ifconfig man pages) 
and stringing the topology together with route (route man page). No 
other commands are needed. Once this works (i.e. you see correctly 
encapsulated packets flow between your machines) you can then manually 
configure IPsec transport mode SAs (via setkey) or use IKE.
Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


���0��0��
�G0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0��0
	*�H��



��0���������|\Pw��� �v����~��~�F
�Do�o�ӦA��\-��	� ���Cˀ�4�.��)&��{�肋���,z�(ܷر��߈��T7�_'t�xGH^tt/ҹB8��%�t<#�ֲN�

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


����a�JP���M�Ւ�]cѭC+��kS��+wZ�1���gY"�,Y���T�41�
�j����6:~�℩��D���������~�Kؚ‡�l���=�u(Վ��M?cF��7@����}��T��0��0��
�G0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0��0
	*�H��



��0���������|\Pw��� �v����~��~�F
�Do�o�ӦA��\-��	� ���Cˀ�4�.��)&��{�肋���,z�(ܷر��߈��T7�_'t�xGH^tt/ҹB8��%�t<#�ֲN�

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


����a�JP���M�Ւ�]cѭC+��kS��+wZ�1���gY"�,Y���T�41�
�j����6:~�℩��D���������~�Kؚ‡�l���=�u(Վ��M?cF��7@����}��T��0�)0���

0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
000830000000Z
020829235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��



��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i

�N0L0)U"0 �010UPrivateLabel1-2970U

�0

�
0U
0
	*�H��


��so&e��4KYb��D�I��
���
j&*b���ctm��S�K���8��P�:l4��撜n�#
�	��K�r�g�Po.X���PW�����Ո�����9[9}4���%Mj���Ñ/���<R���bH1��0��

0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30�G0	+��
a0	*�H��

	1	*�H��


0	*�H��

	1
020409161850Z0#	*�H��

	1����ؐ4ӛ�ʛ�N8���Jg0R	*�H��

	1E0C0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��*�H��

	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30�G0
	*�H��



�����A�`Z͸��B�E�9{H��Ӥ��3��%g5��:��M��ˁ
�q1V�o���_I��\���$/|pK�P���N3�Pq�;���$�`�k<@()|,&M�=^�We���"�%Rk�!��\a	

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CB3146A.7080906>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact