From owner-freebsd-net@FreeBSD.ORG Tue May 27 21:20:07 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 306B8106564A for ; Tue, 27 May 2008 21:20:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id E1C4B8FC18 for ; Tue, 27 May 2008 21:20:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 6975941C75B; Tue, 27 May 2008 23:20:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id nB5gVEBacdCd; Tue, 27 May 2008 23:20:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 08D1D41C757; Tue, 27 May 2008 23:20:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 9984F44487F; Tue, 27 May 2008 21:17:53 +0000 (UTC) Date: Tue, 27 May 2008 21:17:53 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Tom Judge In-Reply-To: <483C7858.5000302@tomjudge.com> Message-ID: <20080527211250.M65662@maildrop.int.zabbadoz.net> References: <483C51EE.7040700@tomjudge.com> <20080527201331.L65662@maildrop.int.zabbadoz.net> <483C70A9.2060500@tomjudge.com> <20080527204111.F65662@maildrop.int.zabbadoz.net> <483C7858.5000302@tomjudge.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: net@FreeBSD.org Subject: Re: ICMP Error transmission/response over IPSec tunnels X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2008 21:20:07 -0000 On Tue, 27 May 2008, Tom Judge wrote: > Bjoern A. Zeeb wrote: >> On Tue, 27 May 2008, Tom Judge wrote: >> >> Hi, >> >>> Yes we do indeed see a reply from node b. It is good to here that this is >>> a known issue. >>> >>> The IPSec configuration is a gif ipip tunnel that is then encrypted with >>> IPSec using esp in tunnel mode as per the ipsec vpn section in the >>> handbook. >> >> 1) if you do not need the ipip tunnel because you need an interface >> and "link state changes" only go with the IPsec tunnel mode. >> >> 2) If you need the gi tunnel on top and routing, use IPsec transport >> mode. >> >> (ignore the handbook, try to understand it;) > > I have 13 nodes in a parital mesh running ospf for routing. It would not be > trivial for me to switch from tunnel to transport mode. Also I have not > tested quagga in when the ipsec is in transport mode, and I guess I do need > interfaces to use with quagga. I may test fixing this additional overhead, > but as they say if it's not broken don't fix it. Ok. So basically you have 12 gif tunnels on each node, if it would be a full mesh. So it's less. So a) you have two endpoints for the gif tunnel which are your Router A, Router B endpoint. So the only thing you would need to secure is your IPIP (gif) tunnel between two nodes (Router A, B). This is what transport mode is for. Running a traceroute, the IP stack would need to send the icmp ttl exceeded packet back via the gif tunnel which then would have to be encrypted. To my memory the problem is that this does not work. You could try to find out at which layer by running tcpdump on the (external) interface and the gif interfaces and if you have enc0 to see if/where the icmp possibly shows up. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.