From owner-freebsd-hackers  Sat Sep 28 11:18:51 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EDA8837B401
	for <freebsd-hackers@freebsd.org>; Sat, 28 Sep 2002 11:18:47 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 726D943E86
	for <freebsd-hackers@freebsd.org>; Sat, 28 Sep 2002 11:18:47 -0700 (PDT)
	(envelope-from larse@ISI.EDU)
Received: from isi.edu (c1-vpn5.isi.edu [128.9.176.35])
	by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g8SIIiC24959;
	Sat, 28 Sep 2002 11:18:44 -0700 (PDT)
Message-ID: <3D95F282.8020009@isi.edu>
Date: Sat, 28 Sep 2002 11:18:42 -0700
From: Lars Eggert <larse@ISI.EDU>
Organization: USC Information Sciences Institute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2a) Gecko/20020910
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Ian Cartwright <ian351c@cox.net>
Cc: freebsd-hackers@freebsd.org
Subject: Re: VPN Routing through gif (4) tunnel
References: <004e01c26718$087ad960$6600a8c0@iansxp>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms070600030009070702020605"
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

This is a cryptographically signed message in MIME format.

--------------ms070600030009070702020605
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Ian,

this stuff is definitly tricky to get into... :-)

Ian Cartwright wrote:
> 
> Thank you very much for the document, it was very informative. So what
> you are sayng is that I am running two tunnels in parallel? I had
> suspected this, but since it was the only way I was able to make it work
> and all the examples I could find fro FreeBSD involved a gif tunnel, I
> thought therer might be some "special" inbteraction with the kernel that
> required a gif tunnel for tunnel mode IPSec.

I sent email to a bunch of tutorial authors that do the 
two-tunnel-in-parallel-thing when this came up on the list before. Two 
at least said they were going to modify their tutorials ("when I wrote 
this I was still learning about this stuff", etc.), but I don't think 
they did yet.

> So, continuing with my configuration from my original message "setkey
> -DP" would shouw:
> 
> 200.200.200.0/16[any] 192.168.0.0/24[any] any
>         in ipsec
>         esp/tunnel/200.200.201.1-100.100.100.1/require
>         spid=8 seq=1 pid=8125
>         refcnt=1
> 192.168.0.0/24[any] 200.200.200.0/16[any] any
>         out ipsec
>         esp/tunnel/100.100.100.1-200.200.201.1/require
>         spid=7 seq=0 pid=8125
>         refcnt=1

This has the same issues as your gif tunnel setup. You want the tunnel 
headers (i.e. what gets slapped onto as the outer header of your packets 
after IPsec processing) to go between your local gatway's external IP 
address (100.100.100.1) and the external interface of the VPN-1 box at 
the remote location (don't think that IP address was in your earlier email.)

The selector (i.e. the pattern that decides which packets should go into 
the tunnel) would NORMALLY match the local and remote subnetworks. 
HOWEVER, since you're doing NAT, this is getting very tricky.

One option is to select on the RFC1918 private addresses on both sides, 
i.e. grab the packets and IPsec-process them BEFORE they get NAT'ed. I'm 
pretty sure this could be made to work if both sides were using FreeBSD, 
but I'm not a fan of VPN-1 (see below).

Another possibility would be to select the packets after they have been 
NAT'ed, but then negotioate a TRANSPORT mode SA. (Since NATs look like 
hosts to the network, transport mode betweenm them is valid.)

Lars

[The reason I'm sceptical about VPN-1 is that Checkpoint was using a 
range of ports that were registered to others - some to us - for their 
VPN-1 thing. When we contacted them about it, they seemed clueless about 
IANA and registered ports. Not the most confidence-inspiring behavior 
for a firewall vendor.]

-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

--------------ms070600030009070702020605
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJtjCC
AzgwggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNV
BAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG
A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj
ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkG
CSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAw
MDBaFw0wNDA4MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2Vy
dGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAw
LjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZ
gpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqd
knWoJ67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFp
AgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzAS
BgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQAxsUtH
XfkBceX1U2xdedY9mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3sDSo491BVqGz3Da1M
G7wD9LXrokefbKIMWI0xQgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLzWtvKPPZE6iZp
h39Ins6ln+eE2MliYq0FxjCCAzkwggKioAMCAQICAwglQTANBgkqhkiG9w0BAQQFADCBkjEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD
VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMB4XDTAyMDgyNDE4NTMzOVoX
DTAzMDgyNDE4NTMzOVowVDEPMA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYD
VQQDEwtMYXJzIEVnZ2VydDEcMBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANI2Rrt4ggaQ/IrOsDeOm2H4/R5FRIL6JjDY3StE
aogp1r23WKniQ1Vj98Nu5WxlaZ3Iam3Jen5T66H8u7rtMNpK4qAeAGoBsVeyVr1+CTFeuv+m
xCh7BvBJwhLdm0zDaoDT05YKYZaqtsT+F286FWJQg31Xtf+vTKLVVrHcsafnteyal2NEt7Ac
yZZfjsVLwxp2Lq3cwYfRQRoo7/yCVzS7HsgM6jmbO4taEMo4yC2rpnUbWEUCDTaCYgpAXzAl
oiNk7GDh0wz2s5ZSnHRvNSBMAjCmpNtSYHfXFI1ANwrrrHIJ7Ei83+XN32PWY4OPzO3iown9
VR+vM+8lNx9OX28CAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIBBAQTTDJ1TXlmZkJO
VWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1UdEwEB/wQCMAAwDQYJ
KoZIhvcNAQEEBQADgYEAXcrIlKmPLM/r8r3oz2ZLPLaT1AyMjYTZY2qq/R7SUtFa9BNlTIFh
DG78QKfJ9lo2LMzTPQqMZgNLmj95GbNPI8P8OIq2K6MeCZWz08ROackqTFP6xWbIFIfXcBVR
1dZnDDyDKBBh05KkvyTPawSQyOBUeNBfQUyO4TE+3o58U8UwggM5MIICoqADAgECAgMIJUEw
DQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx
EjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZp
Y2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4z
MDAeFw0wMjA4MjQxODUzMzlaFw0wMzA4MjQxODUzMzlaMFQxDzANBgNVBAQTBkVnZ2VydDEN
MAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkqhkiG9w0BCQEWDWxh
cnNlQGlzaS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNka7eIIGkPyK
zrA3jpth+P0eRUSC+iYw2N0rRGqIKda9t1ip4kNVY/fDbuVsZWmdyGptyXp+U+uh/Lu67TDa
SuKgHgBqAbFXsla9fgkxXrr/psQoewbwScIS3ZtMw2qA09OWCmGWqrbE/hdvOhViUIN9V7X/
r0yi1Vax3LGn57XsmpdjRLewHMmWX47FS8Madi6t3MGH0UEaKO/8glc0ux7IDOo5mzuLWhDK
OMgtq6Z1G1hFAg02gmIKQF8wJaIjZOxg4dMM9rOWUpx0bzUgTAIwpqTbUmB31xSNQDcK66xy
CexIvN/lzd9j1mODj8zt4qMJ/VUfrzPvJTcfTl9vAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIB
ADAaMBgCAQQEE0wydU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVk
dTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAF3KyJSpjyzP6/K96M9mSzy2k9QM
jI2E2WNqqv0e0lLRWvQTZUyBYQxu/ECnyfZaNizM0z0KjGYDS5o/eRmzTyPD/DiKtiujHgmV
s9PETmnJKkxT+sVmyBSH13AVUdXWZww8gygQYdOSpL8kz2sEkMjgVHjQX0FMjuExPt6OfFPF
MYIDJzCCAyMCAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx
EjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZp
Y2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4z
MAIDCCVBMAkGBSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTAyMDkyODE4MTg0MlowIwYJKoZIhvcNAQkEMRYEFEv1Ha4dzcyquldBq9ab
g8rO50NrMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G
CCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGB
naCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp
Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMIJUEwDQYJ
KoZIhvcNAQEBBQAEggEAkdHuU3ob2IqOR1o7/jlhnybY0Y6FPup8JY9NW/7/TXDDKL/roALR
BLVZVpJ+8lLnUHahJNlhhi9LFGgcX+wPDNpobEzBA42t4rc+cgadZPWl+z3i6zLLNyOee8Vw
c/TFa6xvDfVSSw6Xryp56xRhuMaO7Y3dC6kFmvgqusDh4YvnB2/A3iB9eW6kmkgf0RZJ0wLN
M3oWaJFlGo4bMqzxEh6Nd4mPQxrTsE4igPRVj9lWJeXpzvOIp5cRsD3pAVpcF89x8JDJffTp
uTPbeJENak7a8ou5api98ruH2ItyXcfHxrP1smpLZsv+je070XGj2CIX/jcsancwlGpAU197
JwAAAAAAAA==
--------------ms070600030009070702020605--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message