Date: Wed, 14 Mar 2001 22:21:30 -0600 From: jomor <jomor@ahpcns.com> To: freebsd-security@freebsd.org Subject: Re: IPSEC tunnel without gif? Message-ID: <3AB0434A.2DEC2598@ahpcns.com> References: <3AAEF702.9AC2715B@ahpcns.com>
next in thread | previous in thread | raw e-mail | index | archive | help
jomor wrote:
> I've been setting up a VPN with tunnel mode IPSEC and things are going
> OK so far but in searching the list archives, I've found some stuff that
> seems to imply that gif tunnels are not needed for tunnel mode. Is this
> true? I've only gotten it to work by pre-configuring the gif tunnel, but
> now I'm not sure if I have true "tunnel mode IPSEC" or "transport mode
> IPSEC" applied to an "IP-ENCAP" tunnel such as that suggested by the
> X-bone project.
>
> seeking enlightenment ...jgm
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
Replying to my own post for those who are interested...
I have set up a simple test network to figure this out. It's similar to the
one in the ipsec.html page of the handbook except that I added a router to
split up the segment between the gateways in order to better simulate "the
Internet" piece. Routes were in place only to provide connectivity between
the external interfaces of the "tunnel endpoint gateway" machines. The
router sitting in the middle of the whole thing had no knowledge of the
"private" networks. NAT was not enabled anywhere. The ipsec.conf files are
just like the handbook page commands except that I made a versions for esp
only and another version for ah (not "ah-old") and I specified "-m tunnel"
instead of "-m any". After executing setkey I was able to ping the remote
hosts for at least a little while. I was not able to connect long enough to
do anything useful. Flushing and reloading the ipsec.conf file didn't
help. Only a reboot would get it going again (but not for long). I ran some
traces with a Network General sniffer and things looked as I expected while
the pings were working. When the pings stopped working I could see that one
of the gateways continued to transmit the pings, which did get to the
remote gateway. The gateway that received the pings was transmitting ARP
requests but strangely, it was trying to get the hardware address of the
other tunnel endpoint rather than that of the router in the middle. Since
the ARP requests were never answered, the ping response was never
transmitted. This behavior was identical for both ah and esp tunnels. After
rebooting all the machines, I created the gif tunnels and executed setkey.
I was able to ftp some 1-5 MB files this way. I left the setup running over
night so I'll see if it's still functioning in the morning. I'll be doing
some traces with the gif setup for comparison as well.
...jgm
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB0434A.2DEC2598>