From owner-freebsd-net@FreeBSD.ORG Fri Aug 18 19:58:12 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A079B16A4DE for ; Fri, 18 Aug 2006 19:58:12 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEF0243D45 for ; Fri, 18 Aug 2006 19:58:11 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by nz-out-0102.google.com with SMTP id x3so604497nzd for ; Fri, 18 Aug 2006 12:58:10 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=GF3X2opyNU22GcLivbfJFrfJTx7XkrNUNHenzGcGlkVOlEE9w6owAbNFVH98bD0yQdLfWMqRwTVPJv9qOhjvCSBN9P3Bv1VIbMxZ9+pXgq8l+KylCVhijmSB4mxfi8TSgPFSA48r3BDVrwt4OxTHyrQrah0jICs8d9pcFoFQIrs= Received: by 10.35.51.19 with SMTP id d19mr796021pyk; Fri, 18 Aug 2006 12:58:09 -0700 (PDT) Received: by 10.35.105.10 with HTTP; Fri, 18 Aug 2006 12:58:08 -0700 (PDT) Message-ID: Date: Fri, 18 Aug 2006 23:58:08 +0400 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Yu-Shun Wang" In-Reply-To: <44E619F7.7030300@isi.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44E58E9E.1030401@FreeBSD.org> <44E5F19E.9070600@isi.edu> <44E619F7.7030300@isi.edu> X-Google-Sender-Auth: d520f6d632a97760 Cc: remko@freebsd.org, net@freebsd.org Subject: Re: Routing IPSEC packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 19:58:12 -0000 On 8/18/06, Yu-Shun Wang wrote: > Andrew Pantyukhin wrote: > > On 8/18/06, Yu-Shun Wang wrote: > >> Remko Lodder wrote: > >> > I was looking around for using IPsec services instead of > >> > OpenVPN services, but I found out that with our current > >> > implementation of IPsec, we cannot actually route packets > >> > through the various IPsec hops [1]. OpenBSD adds IPsec > >> > flows in their routing table, making it possible to route > >> > traffic between IPsec tunnels. > >> > > >> > Can someone either confirm my above statement that FreeBSD > >> > is indeed not capable of doing this? > > >> It's not an implementation issue, but a design problem with > >> IPsec tunnel mode. See RFC3884: > >> > >> > >> > >> The proposed solution is to use IP-IP tunnel (gif iface in > >> FreeBSD, which you can route) then apply IPsec transport mode > >> on the outer header. Refer to the rfc for more detail. > >> > >> The policy will be different, but we've verified long ago > >> with FreeBSD that it works. The packets on the wire is > >> compatible with regular tunnel mode IPsec. > > > > Eh? gif(4) says: > > > > BUGS > > There are many tunnelling protocol specifications, all defined differ- > > ently from each other. The gif device may not interoperate with peers > > which are based on different specifications, and are picky about outer > > header fields. For example, you cannot usually use gif to talk with > > IPsec devices that use IPsec tunnel mode. > > You won't have any problem is you are using IP-IP with IPsec > transport mode on both end. It's been a while, but we did > try one end with IP-IP+IPsec transport and the other with > IPsec tunnel mode. (Of course, you will need to make sure > everything matches, SPI, inner/outer addresses, keys, etc.) > The rfc is dated Sep. 2004, we probably tried it long before > that, so it had to be some older FreeBSD versions. We even > tested with Linux (FreeSWAN back then) as the other end. > > I haven't been tracking the gif code, it SHOULD work, but > if something did changed the packets on the wire, then > all bets are off. > > Hope this clarified a bit. Yep, thanks. I'm actually trying to marry FreeBSD to PIX. The latter only supports IPSec (tunnel/transport). I'm still struggling with firewalls on both sides, but tunnel-tunnel works right now. I'm a bit puzzled because the howto I see (http://www.bshell.com/projects/freebsd_pix/) uses gif(4) with tunnel-mode IPSec. Either something is wrong with the way things work or the author doesn't understand what he's doing (or both). The bitter thing is that we have a similar setup in our handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html