From owner-freebsd-stable Fri Nov 15 12:24: 8 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BE5737B401 for ; Fri, 15 Nov 2002 12:24:07 -0800 (PST) Received: from sep.oldach.net (sep.oldach.net [194.180.25.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9101243EBE for ; Fri, 15 Nov 2002 12:24:01 -0800 (PST) (envelope-from hmo@sep.oldach.net) Received: from sep.oldach.net (localhost [127.0.0.1]) by sep.oldach.net (8.12.6/8.12.6/hmo29jun02) with ESMTP id gAFKNrgm022115 (version=TLSv1/SSLv3 cipher=EDH-DSS-DES-CBC3-SHA bits=168 verify=NO); Fri, 15 Nov 2002 21:23:54 +0100 (CET) (envelope-from hmo@sep.oldach.net) Received: (from hmo@localhost) by sep.oldach.net (8.12.6/8.12.6/Submit) id gAFKNrCZ022114; Fri, 15 Nov 2002 21:23:53 +0100 (CET) (envelope-from hmo) Message-Id: <200211152023.gAFKNrCZ022114@sep.oldach.net> Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? In-Reply-To: <20021115145342.GA4032@grumpy.dyndns.org> from David Kelly at "Nov 15, 2002 8:53:42 am" To: dkelly@hiwaay.net (David Kelly) Date: Fri, 15 Nov 2002 21:23:53 +0100 (CET) Cc: freebsd-stable@freebsd.org From: Helge Oldach MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG David Kelly: > Have a suspicion I'm not really using gif altho I've configured the > interfaces. Earlier yesterday found I had not updated an IP address in > the gif0 device which changed a month or to prior. Yet things were still > working. There is no need to use gif(4) for gateway-to-gateway communications, as on a gateway you usually have a designated inside and outside (= public) NIC, with the IP address of the outside NIC being used as the IPSec peer. The only reason to use gif is if you don't run a VPN gateway but a host and use ESP in tunnel mode: In this case the outside NIC is the IPSec peer, but you need an inside IP address as well. There is some lack of flexibility with common Unix networking stacks compared to "real" routers, so the gif interface is being employed to get the routing to the remote side straight. This adds confusion: while gif(4) is a tunnel interface it is in fact not used. What actually happens is that your packets attempt to "enter" the gif interface, are caught by IPSec and placed into the ESP tunnel which essentially rewrites their IP address, and makes them being sent according to the routing table to the outside interface. Hence your packet counters on gif are always zero. If you don't like gif because it violates the rule of least astonishment, another option would be to assign a secondary (oops Cisco lingo - in BSD terms: alias :-)) address to the outside interface and set up a route to the private remote side via your default gateway. You need to add a static ARP entry using the MAC address of your default gateway with the private remote side IP address to make the routing working. Another natural choice would be a loopback interface (say lo1), but for some reason I don't understand this doesn't work. Likely some packet chomping optimization of loopbacks. Regards, Helge To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message