From owner-freebsd-hackers Sat Sep 28 10:54: 5 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FA2937B401 for ; Sat, 28 Sep 2002 10:54:02 -0700 (PDT) Received: from ip24-56-36-25.ph.ph.cox.net (ip24-56-36-25.ph.ph.cox.net [24.56.36.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id E283343E42 for ; Sat, 28 Sep 2002 10:54:00 -0700 (PDT) (envelope-from ian351c@cox.net) Received: from iansxp (iansxp.iansponderosa.org [192.168.0.102]) by ip24-56-36-25.ph.ph.cox.net (8.12.3/8.11.4) with ESMTP id g8SHrxVp008129; Sat, 28 Sep 2002 10:54:00 -0700 (MST) (envelope-from ian351c@cox.net) From: "Ian Cartwright" To: "'Lars Eggert'" Cc: Subject: RE: VPN Routing through gif (4) tunnel Date: Sat, 28 Sep 2002 10:54:03 -0700 Message-ID: <004e01c26718$087ad960$6600a8c0@iansxp> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <3D95E2CE.6000502@isi.edu> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Lars, Thank you very much for the document, it was very informative. So what you are sayng is that I am running two tunnels in parallel? I had suspected this, but since it was the only way I was able to make it work and all the examples I could find fro FreeBSD involved a gif tunnel, I thought therer might be some "special" inbteraction with the kernel that required a gif tunnel for tunnel mode IPSec. If I am reading your document right (I am somewhat new to the guts of IPSec. You don't have to understand nearly as much to drive a Checkpoint GUI. I guess this is why I love FreeBSD, you really do gain a new understanding of this kind of stuff by making it work... ;-) then the Securitu Policy Database, which contains the information needed to set up the SA's will deterine the endpoints of the tunnel created in an IPSec tunnel, and the gif tunnel is redundant. So, continuing with my configuration from my original message "setkey -DP" would shouw: 200.200.200.0/16[any] 192.168.0.0/24[any] any in ipsec esp/tunnel/200.200.201.1-100.100.100.1/require spid=8 seq=1 pid=8125 refcnt=1 192.168.0.0/24[any] 200.200.200.0/16[any] any out ipsec esp/tunnel/100.100.100.1-200.200.201.1/require spid=7 seq=0 pid=8125 refcnt=1 And, of course, setkey -D would output nothing since this is controlled dynamically by racoon. This SA configuration should result in an IPSec tunnel being built/used every time I send a packet to the 200.200.200.0/16 network. Do I need static routes for this? I would imagine the kernel should "know" that packets destined for my work network should go over the IPSec tunnel. The one issue I have run up against by not using a gif tunnel is that KAME and IPFILTER do not play nicely. This may be a configuration issue on my part, but I have seen a couple articles in the newsgroups that suggents a more unified architecture is required since both KAME and IPFILTER act as IP packet filters, and need to have some way to communicate with each other. What do you think? Am I understanding this correctly? Thanks! Ian Cartwright -----Original Message----- From: Lars Eggert [mailto:larse@ISI.EDU] Sent: Saturday, September 28, 2002 10:12 AM To: Ian Cartwright Cc: freebsd-hackers@freebsd.org Subject: Re: VPN Routing through gif (4) tunnel Hi, Ian Cartwright wrote: > I am trying to construct a "B2B" mode VPN tunnel between my house and > my work using FreeBSD. ... > Here is my current configuration (IPs changed to protect the guilty): > > fxp0: flags=8843 mtu 1500 > inet 100.100.100.1 netmask 0xffffff00 broadcast 68.3.250.255 ... > fxp1: flags=8843 mtu 1500 > inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ... > gif0: flags=8051 mtu 1280 > tunnel inet 68.3.250.5 --> 199.64.13.20 > inet 192.168.0.1 --> 200.200.200.1 netmask 0xffffff00 > > fxp0 is my external network adapter, connected to the Internet and > assigned "100.100.100.1" by my ISP. gif0 is the tunnel adapter and > ties my network to my work's network. The ip 200.200.200.1 is the > inside interface of my work's VPN server. > > The commands used to create the gif tunnel are as follows: ifconfig > gif0 create tunnel 100.100.100.1 200.200.201.1 ifconfig gif0 inet > 192.168.0.1 200.200.200.1 netmask 255.255.255.0 > > 100.100.100.1 is my external address again > 200.200.201.1 is the external interface on my work's VPN server > 200.200.200.1 is the internal interface on my works VPN server again your tunnel configuration is a bit strange. You want the tunnel wrapper IP addresses to be those of the external interfaces, both locally and for your remote site. Also, give the tunnel itself addresses that don't overlap with addresses you already use. E.g.: ifconfig gif0 10.0.0.1 10.0.0.2 tunnel 100.100.100.1 Then just add a route for your remote network to the tunnel, e.g. route add 200.200.200/24 10.0.0.2 As for IPsec and racoon: Are you negotiating IPsec tunnel mode SAs? In which case you MUST NOT set up a gif tunnel. (In short, that abuses the fact that two parallel tunnels trick routing into forwarding over a tunnel mode SA, with consequences; see ftp://ftp.isi.edu/internet-drafts/draft-touch-ipsec-vpn-04.txt. Lars -- Lars Eggert USC Information Sciences Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message