Date: Tue, 18 Mar 2003 19:51:15 -0600 From: David Kelly <dkelly@HiWAAY.net> To: FreeBSD-Questions@FreeBSD.org Cc: "Brent Wiese" <brently@bjwcs.com> Subject: Re: ipsec and gre tunnels Message-ID: <200303181951.16002.dkelly@HiWAAY.net> In-Reply-To: <005801c2ed6f$be607360$0a0114ac@home.bjwcs.com> References: <005801c2ed6f$be607360$0a0114ac@home.bjwcs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 18 March 2003 10:59 am, Brent Wiese wrote:
> It's a common mistake to do both gif and ipsec.
>
> I realize many of the handbooks you find say to do it. They're wrong.
> They've been contacted and most won't change them, which just
> misleads more people.
>
> Use ipsec in tunnel mode instead of transport and ditch gif.
I've heard that before. So with a RELENG_4 system I dropped my gif
tunnel and it worked!
Then some time after 4.7-RELEASE somebody changed something so that the
contents of an ESP packet could not be distinguished by ipfw from
non-ESP packets on the same interface. So my rule for blocking RFC 1918
addresses on the public interface was blocking my own tunneled packets.
Then I reverted the system to RELENG_4_7 and my IPSec tunnel failed to
operate until I resumed initializing the gif interface as I was
originally doing.
/etc/ipsec.conf looks like this:
flush;
spdflush;
spdadd 10.0.0.253/24 192.168.100.253/24 any -P out ipsec
esp/tunnel/city_one-city_two/require ;
spdadd 192.168.100.253/24 10.0.0.253/24 any -P in ipsec
esp/tunnel/city_two-city-one/require ;
/etc/rc.conf has this:
# added 4/30/2002 for VPN to city_two
ipsec_enable="YES"
gif_interfaces="gif0" # removed 11/17/2002 dmk
# from here to there...
gifconfig_gif0="city_one city_two"
ifconfig_gif0="inet 10.0.0.253 192.168.100.253 netmask 255.255.255.255"
# the VPN route:
static_routes="city_two"
route_city_two="-inet 192.168.100.0/24 -interface 192.168.100.253"
Other than racoon, that's what it took. So why did I have to fire up
gif0? For a while with RELENG_4 the gif entries in /etc/rc.conf were
not needed. I have never seen any hits on my gif rules in ipfw.
--
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303181951.16002.dkelly>