Date: Wed, 14 Mar 2001 22:21:30 -0600 From: jomor <jomor@ahpcns.com> To: freebsd-security@freebsd.org Subject: Re: IPSEC tunnel without gif? Message-ID: <3AB0434A.2DEC2598@ahpcns.com> References: <3AAEF702.9AC2715B@ahpcns.com>
next in thread | previous in thread | raw e-mail | index | archive | help
jomor wrote: > I've been setting up a VPN with tunnel mode IPSEC and things are going > OK so far but in searching the list archives, I've found some stuff that > seems to imply that gif tunnels are not needed for tunnel mode. Is this > true? I've only gotten it to work by pre-configuring the gif tunnel, but > now I'm not sure if I have true "tunnel mode IPSEC" or "transport mode > IPSEC" applied to an "IP-ENCAP" tunnel such as that suggested by the > X-bone project. > > seeking enlightenment ...jgm > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Replying to my own post for those who are interested... I have set up a simple test network to figure this out. It's similar to the one in the ipsec.html page of the handbook except that I added a router to split up the segment between the gateways in order to better simulate "the Internet" piece. Routes were in place only to provide connectivity between the external interfaces of the "tunnel endpoint gateway" machines. The router sitting in the middle of the whole thing had no knowledge of the "private" networks. NAT was not enabled anywhere. The ipsec.conf files are just like the handbook page commands except that I made a versions for esp only and another version for ah (not "ah-old") and I specified "-m tunnel" instead of "-m any". After executing setkey I was able to ping the remote hosts for at least a little while. I was not able to connect long enough to do anything useful. Flushing and reloading the ipsec.conf file didn't help. Only a reboot would get it going again (but not for long). I ran some traces with a Network General sniffer and things looked as I expected while the pings were working. When the pings stopped working I could see that one of the gateways continued to transmit the pings, which did get to the remote gateway. The gateway that received the pings was transmitting ARP requests but strangely, it was trying to get the hardware address of the other tunnel endpoint rather than that of the router in the middle. Since the ARP requests were never answered, the ping response was never transmitted. This behavior was identical for both ah and esp tunnels. After rebooting all the machines, I created the gif tunnels and executed setkey. I was able to ftp some 1-5 MB files this way. I left the setup running over night so I'll see if it's still functioning in the morning. I'll be doing some traces with the gif setup for comparison as well. ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB0434A.2DEC2598>