From owner-freebsd-net@FreeBSD.ORG Wed Jun 23 23:19:16 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B7DC106566B for ; Wed, 23 Jun 2010 23:19:16 +0000 (UTC) (envelope-from ericx@ericx.net) Received: from qmta05.westchester.pa.mail.comcast.net (qmta05.westchester.pa.mail.comcast.net [76.96.62.48]) by mx1.freebsd.org (Postfix) with ESMTP id CA2B18FC15 for ; Wed, 23 Jun 2010 23:19:15 +0000 (UTC) Received: from omta05.westchester.pa.mail.comcast.net ([76.96.62.43]) by qmta05.westchester.pa.mail.comcast.net with comcast id Zapn1e0010vyq2s55bKFzw; Wed, 23 Jun 2010 23:19:15 +0000 Received: from smtp.ericx.net ([76.24.209.147]) by omta05.westchester.pa.mail.comcast.net with comcast id ZbKF1e0023BMG6c3RbKFev; Wed, 23 Jun 2010 23:19:15 +0000 Received: from smtp.ericx.net (localhost.ericx.net [127.0.0.1]) by smtp.ericx.net (Postfix) with ESMTP id E688A129F04D; Wed, 23 Jun 2010 19:19:38 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=ericx.net; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=selector1; bh=Y/9VDeQ nP2N+SjMhk2pnbJMp68s=; b=UptvbNBp8WDcHCaOH9KPh7sNim4m/oBj/Cgrefx F+KTLBjHHmXjrD1xJgXCgfU1w7eCjoyrLLgoDrWHM4BxFXyDkjs8+KUtFAoJmI0w oaSkj2UXLcLPB1pzzu/vI28dZvKnzcuCk+ieGCFzKZSnl/PRNa3YpQ/povcy75ci fn+Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=ericx.net; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=selector1; b=u XvlocjylJVc/s1yB8n8M/7YHu3fO8PO6HNo2oY5EB3oebBS+hSmloThSOhj+N4pk SDl459msSMkmz8KvrR641wxgDees9zeBa+WKu1+Q5HSOixegim3R1zr6ifYk9Qna kpek9y3n5j8i/p6vS15R26lQVMg7SCqV4TE7vN2dD4= Received: from [10.0.0.54] (unknown [75.150.112.177]) by smtp.ericx.net (Postfix) with ESMTPSA id ACF68129F045; Wed, 23 Jun 2010 19:19:38 -0400 (EDT) Message-ID: <4C229595.20902@ericx.net> Date: Wed, 23 Jun 2010 19:15:33 -0400 From: "Eric W. Bates" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100512 Lightning/1.0b1 Thunderbird/3.0.5 MIME-Version: 1.0 To: ralf@dzie-ciuch.pl References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> <20100622190819.270aaa74@gda-arsenic> <4f378cfb416582c3081377ba714e508a@ewipo.pl> <20100622201130.5824d585@gda-arsenic> <20100622182242.GU2620@verio.net> <4C210B0F.6060203@ericx.net> <655d7279cefc01b3fbe0016c598fcd72@ewipo.pl> In-Reply-To: <655d7279cefc01b3fbe0016c598fcd72@ewipo.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 23:19:16 -0000 On 6/22/2010 3:55 PM, ralf@dzie-ciuch.pl wrote: >> >> I managed to do an IP in IP tunnel with IPsec encryption between a >> FreeBSD and a cisco router running 12.1(mumble) several years ago. >> >> It is a desirable option if you want to use routing (e.g. ospf). You >> can't route an IPSec tunnel (actually, is this now possible with enc0 >> interfaces?) but you can route to the gif interfaces. >> > > Can you tell me how to use route command to use it like above? I have to admit that I no longer have access to that client's machines. However, I can describe in broad strokes. In our case the need was to provide a backup route for a dedicated T1. Occasionally the T1 would fail; so we wanted an alternate route thru the internet. The internet path had to be encrypted; but it was much slower; so we wanted the T1 to have priority. The router terminating the T1 was separate from the router providing general internet access. This was between a hospital and a service provider. A lot of this could be simplified except that the vendor HAD to provide the server, the circuit, and the router (those of you who support banks or hospitals know what I'm talking about.) There is already a static route in place for the provider via the T1 router. We first built a simple IPencap tunnel between our FreeBSD box and their cisco. The FreeBSD side used a gif and the cisco side used a tunnel interface. We confirmed that we could ping end-points. Then we added the ospf to the mix in order to detect when the T1 dropped. We weighted the ospf so that the T1 was prioritized. Once that was working we added the IPSec as transport between the endpoints of the IpinIP tunnel rather than encapsulation. That was the only time I've built an IPSec tunnel with that method. Folks with better understanding than I can perhaps explain the pros and cons. In our case, it was a simple expedient to support ospf. I have noticed since then that OS X's GUI only supports this method of IPSec tunneling; so I'm going to have to do it again to support some other customers. Some parts on the cisco side might appear thusly (I'm doing this from memory so ymmv): interface FastEthernet0.2 description VLAN 500 to Comcast router encapsulation dot1Q 500 ip address x.x.x.x 255.255.255.252 The encryption part: crypto isakmp policy 10 encr 3des hash sha1 authentication pre-share group 2 crypto isakmp key foobar-key address 0.0.0.0 0.0.0.0 crypto ipsec transform-set PROVIDER-SET esp-3des esp-sha-hmac ! crypto ipsec profile PROVIDER-PROF set transform-set PROVIDER-SET The tunnel part: interface tunnel0 description IPnIP tunnel thru comcast to PROVIDER ip address 192.168.254.3 255.255.255.252 ip ospf mtu-ignore tunnel source x.x.x.25 tunnel destination y.y.y.y tunnel mode ipsec ipv4 tunnel protection ipsec profile PROVIDER-PROF The OSPF part: router ospf 10101 log-adjacency-changes redistribute connected subnets redistribute static subnets passive interface FastEthernet0/0 passive interface FastEthernet0/0.1 passive interface FastEthernet0/0.2 network 128.1.0.0 0.0.255.255 area 0 network 192.168.8.0 0.0.3.255 area 0 network 192.168.254.0 0.0.0.3 area 0 The static route part: ip classless ip route 0.0.0.0 0.0.0.0 Serial0 ip route 192.168.8.0 255.255.252.0 10.21.1.2 ip route 192.168.20.0 255.255.255.0 10.21.1.2 ip route y.y.y.y 255.255.255.255 x.x.x.26 ! the last route is just to make sure the tunnel uses Comcast