Date: Wed, 17 Apr 1996 11:37:43 -0500 (CDT) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: dirk@methan.chemie.fu-berlin.de (Dirk Froemberg) Cc: hackers@FreeBSD.ORG, xadmin@methan.chemie.fu-berlin.de, alf@bolzen.in-berlin.de Subject: Re: ip-in-ip tunnel Message-ID: <199604171637.LAA22203@brasil.moneng.mei.com> In-Reply-To: <m0u9VAE-0009paC@methan.chemie.fu-berlin.de> from "Dirk Froemberg" at Apr 17, 96 01:12:46 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> Hello! > > We need to set up a ip-in-ip (protocol number 4) tunnel with FreeBSD > (i. e. tunnel entry should be on a FreeBSD machine). > > Unfortunaly there seems to be no easy way of doing so. > > mrouting has the functionality of tunneling being limited on multicast > addresses. Although this limitation may easily be removed there > is no way of adding routes manually (e. g. route add). > > Another approach might be to create a interface doing the encapsulation. > The implementation of the ip-in-ip-encapsulation itself is not very > difficult. At the moment we are a stucked "a little bit" in the > BSD-networking-code. > > Btw. Linux has such interface called "tunl". > > Is anyone working on this? > > Best regards Dirk One of my back burner pet projects is to do something like this. All the hard work has been done, FreeBSD supports the "tun*" devices (typically used for user mode PPP).. you can snarf one of these guys and read/write /dev/tun* to get the actual IP traffic on the interface. I want to use it to create a virtual (secure) network across an insecure Internet. This is trivial in concept, not hard to implement, and just a matter of grinding out code. What you need: 1. a pair of FreeBSD routers connected to the Internet. 2. create a stream socket between the routers via the Internet. You may argue UDP here, I decided not to. 3. implement a DES crypt layer on top. I'm cheap so I assume I can manually propagate a key. Use something like CFB64. 3a. you now have a secure communications channel across the Internet... 4. open /dev/tun0, ifconfig it. 5. use IPFW to _prohibit_ any nonlocal traffic from leaving the box via the Internet interface. Mostly to avoid unhappiness from configuration errors. 6. set up any other interfaces. 7. voila :-) Haven't had time to finish it. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199604171637.LAA22203>