Date: Mon, 08 Oct 2001 17:52:04 +0100 From: tariq_rashid@lineone.net To: freebsd-security@freebsd.org Subject: connecting ipsec tunnels and routing .... Message-ID: <E15qddM-000MmP-00@mk-smarthost-1.mail.uk.worldonline.com>
next in thread | raw e-mail | index | archive | help
Consider the following network of FreeBSD 4.4R gateways:
( subet-A ) ----- [ gateway A ]
10.2.0.0/16
|
|
|
|
[ "hub" gateway B ]----- ( subet-B )
10.0.0.0/16
|
|
|
|
( subet-C ) ----- [ gateway C ]
10.1.0.0/16
Now, gateway B (the "hub" or concentrator) has the following properties:
* it is the only one with a static public IP address
- for this reason isakmpd is used over racoon
* gateway B has its own attached protected subnet (subnet-C)
* gateway B must provide routes for ipsec traffic from
any other subnet to any other subnet (eg subnet-A
to subnet-C)
It seems obvious that all the subnets must use their gateways as their default gateway.
These gateways must decide which traffic to protect using ipsec. This is decided by the
isakmpd.conf file:
--------------------------
[IPsec-A-centre]
Phase= 2
ISAKMP-peer= ISAKMP-peer-centre
Configuration= Default-quick-mode
Local-ID= Net-centre
Remote-ID= Net-B
[Net-A]
ID-type= IPV4_ADDR_SUBNET
Network= 10.2.0.0
Netmask= 255.255.0.0
[Net-centre]
# ID-type= IPV4_ADDR_SUBNET
# Address= public-ip-of-gateway-B
ID-type= IPV4_ADDR_SUBNET
Network= 10.1.0.0
Netmask= 255.255.0.0
--------------------------
It appears that the ID-type (network, netmask) determine the filters that ipsec will apply.
Thus traffic from subnet-A 10.2.7.13 to 10.1.7.2 is caught and tunnelled. tcpdump shows
ESP leaving the machine gateway-A > gateway-B. So the default gateway in netstat -rn is used
as expected.
The tunnel is to the central gateway-B (using Address= 10.0.7.2 in the
[ISAKMP-peer-centre] section of gateway-A). Gateway-B does receive the ESP
packets as shown by tcpdump.
HOWEVER, gateway B does not forward the pakets on as per its own routing table.
This is has failed to work both when the forwarding gateway-B to gateway-C has no
IPSEC tunnel configured and also when it has (as is finally intended).
In addition, setting the ID-type address to IP_ADDR gateway-B-public-ip fails to work as expected.
The routing criteria are not met for 10.2.7.13 to 10.1.7.2, for example.
10.2.7.13 to gateway-B-public-ip dows work as expected but is not useful.
Finally, the isakmpd port from OpenBSD is being used. This is because it allows the non-hub gateways
to have dynamically allocated IP addresses. Only these gateways need to know the static IP address
of the central gateway-B. HOWEVER, this configuration apears to have no need to configure
tunnel devices (gif, tun, ipip). This is correct as simple subnet to subnet VPNs have een tested and both
netstat -i and ifconfig return no configured tunnels.
This appears to make routing more difficult.
Any ideas, experiences, advice, thoughts, solutions?
Gratefully received.
tariq
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E15qddM-000MmP-00>