Site Navigation

Date:      Sat, 28 Sep 2002 10:54:03 -0700
From:      "Ian Cartwright" <ian351c@cox.net>
To:        "'Lars Eggert'" <larse@ISI.EDU>
Cc:        <freebsd-hackers@freebsd.org>
Subject:   RE: VPN Routing through gif (4) tunnel
Message-ID:  <004e01c26718$087ad960$6600a8c0@iansxp>
In-Reply-To: <3D95E2CE.6000502@isi.edu>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Lars,

Thank you very much for the document, it was very informative. So what
you are sayng is that I am running two tunnels in parallel? I had
suspected this, but since it was the only way I was able to make it work
and all the examples I could find fro FreeBSD involved a gif tunnel, I
thought therer might be some "special" inbteraction with the kernel that
required a gif tunnel for tunnel mode IPSec.

If I am reading your document right (I am somewhat new to the guts of
IPSec. You don't have to understand nearly as much to drive a Checkpoint
GUI. I guess this is why I love FreeBSD, you really do gain a new
understanding of this kind of stuff by making it work... ;-) then the
Securitu Policy Database, which contains the information needed to set
up the SA's will deterine the endpoints of the tunnel created in an
IPSec tunnel, and the gif tunnel is redundant.

So, continuing with my configuration from my original message "setkey
-DP" would shouw:

200.200.200.0/16[any] 192.168.0.0/24[any] any
        in ipsec
        esp/tunnel/200.200.201.1-100.100.100.1/require
        spid=8 seq=1 pid=8125
        refcnt=1
192.168.0.0/24[any] 200.200.200.0/16[any] any
        out ipsec
        esp/tunnel/100.100.100.1-200.200.201.1/require
        spid=7 seq=0 pid=8125
        refcnt=1

And, of course, setkey -D would output nothing since this is controlled
dynamically by racoon.

This SA configuration should result in an IPSec tunnel being built/used
every time I send a packet to the 200.200.200.0/16 network. Do I need
static routes for this? I would imagine the kernel should "know" that
packets destined for my work network should go over the IPSec tunnel.

The one issue I have run up against by not using a gif tunnel is that
KAME and IPFILTER do not play nicely. This may be a configuration issue
on my part, but I have seen a couple articles in the newsgroups that
suggents a more unified architecture is required since both KAME and
IPFILTER act as IP packet filters, and need to have some way to
communicate with each other.

What do you think? Am I understanding this correctly?

Thanks!

Ian Cartwright

-----Original Message-----
From: Lars Eggert [mailto:larse@ISI.EDU] 
Sent: Saturday, September 28, 2002 10:12 AM
To: Ian Cartwright
Cc: freebsd-hackers@freebsd.org
Subject: Re: VPN Routing through gif (4) tunnel


Hi,

Ian Cartwright wrote:
> I am trying to construct a "B2B" mode VPN tunnel between my house and 
> my work using FreeBSD.
...
> Here is my current configuration (IPs changed to protect the guilty):
> 
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 100.100.100.1 netmask 0xffffff00 broadcast 68.3.250.255
...
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
...
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>         tunnel inet 68.3.250.5 --> 199.64.13.20
>         inet 192.168.0.1 --> 200.200.200.1 netmask 0xffffff00
> 
> fxp0 is my external network adapter, connected to the Internet and 
> assigned "100.100.100.1" by my ISP. gif0 is the tunnel adapter and 
> ties my network to my work's network. The ip 200.200.200.1 is the 
> inside interface of my work's VPN server.
> 
> The commands used to create the gif tunnel are as follows: ifconfig 
> gif0 create tunnel 100.100.100.1 200.200.201.1 ifconfig gif0 inet 
> 192.168.0.1 200.200.200.1 netmask 255.255.255.0
> 
> 100.100.100.1 is my external address again
> 200.200.201.1 is the external interface on my work's VPN server 
> 200.200.200.1 is the internal interface on my works VPN server again

your tunnel configuration is a bit strange. You want the tunnel wrapper 
IP addresses to be those of the external interfaces, both locally and 
for your remote site. Also, give the tunnel itself addresses that don't 
overlap with addresses you already use. E.g.:

ifconfig gif0 10.0.0.1 10.0.0.2 tunnel 100.100.100.1 
<external-ip-of-remote-end>

Then just add a route for your remote network to the tunnel, e.g.

route add 200.200.200/24 10.0.0.2

As for IPsec and racoon: Are you negotiating IPsec tunnel mode SAs? In 
which case you MUST NOT set up a gif tunnel. (In short, that abuses the 
fact that two parallel tunnels trick routing into forwarding over a 
tunnel mode SA, with consequences; see 
ftp://ftp.isi.edu/internet-drafts/draft-touch-ipsec-vpn-04.txt.

Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004e01c26718$087ad960$6600a8c0>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact