FreeBSD Mail Archives

Date:      Sat, 28 Sep 2002 11:18:42 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        Ian Cartwright <ian351c@cox.net>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: VPN Routing through gif (4) tunnel
Message-ID:  <3D95F282.8020009@isi.edu>
References:  <004e01c26718$087ad960$6600a8c0@iansxp>


[-- Attachment #1 --]
Ian,

this stuff is definitly tricky to get into... :-)

Ian Cartwright wrote:
> 
> Thank you very much for the document, it was very informative. So what
> you are sayng is that I am running two tunnels in parallel? I had
> suspected this, but since it was the only way I was able to make it work
> and all the examples I could find fro FreeBSD involved a gif tunnel, I
> thought therer might be some "special" inbteraction with the kernel that
> required a gif tunnel for tunnel mode IPSec.

I sent email to a bunch of tutorial authors that do the 
two-tunnel-in-parallel-thing when this came up on the list before. Two 
at least said they were going to modify their tutorials ("when I wrote 
this I was still learning about this stuff", etc.), but I don't think 
they did yet.

> So, continuing with my configuration from my original message "setkey
> -DP" would shouw:
> 
> 200.200.200.0/16[any] 192.168.0.0/24[any] any
>         in ipsec
>         esp/tunnel/200.200.201.1-100.100.100.1/require
>         spid=8 seq=1 pid=8125
>         refcnt=1
> 192.168.0.0/24[any] 200.200.200.0/16[any] any
>         out ipsec
>         esp/tunnel/100.100.100.1-200.200.201.1/require
>         spid=7 seq=0 pid=8125
>         refcnt=1

This has the same issues as your gif tunnel setup. You want the tunnel 
headers (i.e. what gets slapped onto as the outer header of your packets 
after IPsec processing) to go between your local gatway's external IP 
address (100.100.100.1) and the external interface of the VPN-1 box at 
the remote location (don't think that IP address was in your earlier email.)

The selector (i.e. the pattern that decides which packets should go into 
the tunnel) would NORMALLY match the local and remote subnetworks. 
HOWEVER, since you're doing NAT, this is getting very tricky.

One option is to select on the RFC1918 private addresses on both sides, 
i.e. grab the packets and IPsec-process them BEFORE they get NAT'ed. I'm 
pretty sure this could be made to work if both sides were using FreeBSD, 
but I'm not a fan of VPN-1 (see below).

Another possibility would be to select the packets after they have been 
NAT'ed, but then negotioate a TRANSPORT mode SA. (Since NATs look like 
hosts to the network, transport mode betweenm them is valid.)

Lars

[The reason I'm sceptical about VPN-1 is that Checkpoint was using a 
range of ports that were registered to others - some to us - for their 
VPN-1 thing. When we contacted them about it, they seemed clueless about 
IANA and registered ports. Not the most confidence-inspiring behavior 
for a firewall vendor.]

-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	�0�80���fEr��t��cvE��.�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��
��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i�N0L0)U"0 �010UPrivateLabel1-2970U�0�0U0
	*�H��
��1�KG]�q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�Υ����bb��0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�1�'0�#0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0	+��a0	*�H��
	1	*�H��
0	*�H��
	1
020928181842Z0#	*�H��
	1K���̪�WA�֛����Ck0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��*�H��
	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0
	*�H��
����Sz؊�GZ;�9a�&�ю�>�|%�M[��Mp�(����YV�~�R�Pv�$�a�/Kh_��hlL����>r�d���=��2�7#�{�ps��k�o
�RK��*y�a�Ǝ�����*�����o�� }yn��H�I��3zh�e�2���w��CӰN"��U��V%���󈧗�=�Z\�q��}��3�x�
jN��j���؋r]��Ƴ��jKf����;�q��"�7,jw0�j@S_{'

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D95F282.8020009>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation