From owner-freebsd-questions Tue Mar 18 17:51:23 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A08B837B404 for ; Tue, 18 Mar 2003 17:51:21 -0800 (PST) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CCAE43F75 for ; Tue, 18 Mar 2003 17:51:20 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.8/8.12.7) with ESMTP id h2J1pH2T066241; Tue, 18 Mar 2003 19:51:17 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [[UNIX: localhost]]) by grumpy.dyndns.org (8.12.8/8.12.7/Submit) id h2J1pGrf066228; Tue, 18 Mar 2003 19:51:16 -0600 (CST) From: David Kelly To: FreeBSD-Questions@FreeBSD.org Subject: Re: ipsec and gre tunnels Date: Tue, 18 Mar 2003 19:51:15 -0600 User-Agent: KMail/1.5 References: <005801c2ed6f$be607360$0a0114ac@home.bjwcs.com> In-Reply-To: <005801c2ed6f$be607360$0a0114ac@home.bjwcs.com> Cc: "Brent Wiese" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200303181951.16002.dkelly@HiWAAY.net> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday 18 March 2003 10:59 am, Brent Wiese wrote: > It's a common mistake to do both gif and ipsec. > > I realize many of the handbooks you find say to do it. They're wrong. > They've been contacted and most won't change them, which just > misleads more people. > > Use ipsec in tunnel mode instead of transport and ditch gif. I've heard that before. So with a RELENG_4 system I dropped my gif tunnel and it worked! Then some time after 4.7-RELEASE somebody changed something so that the contents of an ESP packet could not be distinguished by ipfw from non-ESP packets on the same interface. So my rule for blocking RFC 1918 addresses on the public interface was blocking my own tunneled packets. Then I reverted the system to RELENG_4_7 and my IPSec tunnel failed to operate until I resumed initializing the gif interface as I was originally doing. /etc/ipsec.conf looks like this: flush; spdflush; spdadd 10.0.0.253/24 192.168.100.253/24 any -P out ipsec esp/tunnel/city_one-city_two/require ; spdadd 192.168.100.253/24 10.0.0.253/24 any -P in ipsec esp/tunnel/city_two-city-one/require ; /etc/rc.conf has this: # added 4/30/2002 for VPN to city_two ipsec_enable="YES" gif_interfaces="gif0" # removed 11/17/2002 dmk # from here to there... gifconfig_gif0="city_one city_two" ifconfig_gif0="inet 10.0.0.253 192.168.100.253 netmask 255.255.255.255" # the VPN route: static_routes="city_two" route_city_two="-inet 192.168.100.0/24 -interface 192.168.100.253" Other than racoon, that's what it took. So why did I have to fire up gif0? For a while with RELENG_4 the gif entries in /etc/rc.conf were not needed. I have never seen any hits on my gif rules in ipfw. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message