Date: Tue, 18 Mar 2003 03:07:30 -0000 From: "chris scott" <chris.scott@uk.tiscali.com> To: <freebsd-questions@freebsd.org> Subject: ipsec and gre tunnels Message-ID: <001901c2ecfb$83e82210$c4102c0a@viper>
next in thread | raw e-mail | index | archive | help
Hi,
I currently have a vpn setup between a few lans using freebsd, ipsec and gif
tunnels
It all works perfectly. However I noticed that a new pseudo device for gre
tunnels.
As the overhead it supposed to be less for this type of tunnel I decided to
test things
out. I cvs and made world and kernel on the two test machines. No problems
here. I tested
original tunnels, all working ok and racoon was doing key exchange no
problems. I setup
the test gre tunnel with the following syntax
/sbin/ifconfig gre0 create tunnel hostA hostB
/sbin/ifconfig gre0 192.168.250.34 192.168.250.33 netmask 255.255.255.252
/sbin/route add 192.168.250.33/30 -interface gre0
/sbin/ifconfig gre0 up
Cool the tunnel is up and seems to work ok. Now I implement the following
ipsec
policy which is just an extension of what I was using before for the gif
tunnels
spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require;
# these 2 rules are so i can connect to my ethernet dsl modem
# without the traffic getting encrypted, which is bad
spdadd 10.0.0.0/24 10.0.0.0/24 gre -P out none ;
spdadd 10.0.0.0/24 10.0.0.0/24 gre -P in none ;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
Hmm, now the tunnel doesn't work. Key exchange seems to be ok as the gif
tunnel is still
working. Does anyone have any idea why the tunnel should stop working?
The man page for setkey as a mysterious reference under the upperspec
description
We have many protocols in
/etc/protocols, but protocols except of TCP, UDP and ICMP may not
be suitable to use with IPsec. You have to consider and be care-
ful to use them. icmp tcp udp all protocols
Could gre be one of these protocols and if so why?
root on gateway# ifconfig gre0
gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476
tunnel inet hostB --> hostA
inet 192.168.250.34 --> 192.168.250.33 netmask 0xfffffffc
root on gateway# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet hostB --> hostA
inet 192.168.250.1 --> 192.168.250.2 netmask 0xfffffffc
root on gateway# ping 192.168.250.33
PING 192.168.250.33 (192.168.250.33): 56 data bytes
^C
--- 192.168.250.33 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
root on gateway# ping 192.168.250.1
PING 192.168.250.1 (192.168.250.1): 56 data bytes
^C
--- 192.168.250.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
root on gateway# ping 192.168.250.2
PING 192.168.250.2 (192.168.250.2): 56 data bytes
64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=37.682 ms
64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=37.543 ms
64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=37.981 ms
64 bytes from 192.168.250.2: icmp_seq=3 ttl=64 time=37.159 ms
^C
--- 192.168.250.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 37.159/37.591/37.981/0.296 ms
root on gateway# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] ip4
in ipsec
esp/transport//require
spid=1004 seq=5 pid=75744
refcnt=1
10.0.0.0/24[any] 10.0.0.0/24[any] gre
in none
spid=1006 seq=4 pid=75744
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] gre
in ipsec
esp/transport//require
spid=1008 seq=3 pid=75744
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] ip4
out ipsec
esp/transport//require
spid=1003 seq=2 pid=75744
refcnt=1
10.0.0.0/24[any] 10.0.0.0/24[any] gre
out none
spid=1005 seq=1 pid=75744
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] gre
out ipsec
esp/transport//require
spid=1007 seq=0 pid=75744
refcnt=1
root on gateway# setkey -D
hostB hostA
esp mode=transport spi=226290556(0x0d7ceb7c) reqid=0(0x00000000)
E: 3des-cbc 9ef25cfa f136ecac e6548771 b6675ea5 2427613a d8079969
A: hmac-sha1 fe01a845 3c3288ae 329bdd2e bff2bdb8 19224348
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003
diff: 1(s) hard: 30(s) soft: 24(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=75781 refcnt=1
hostB hostA
esp mode=transport spi=257583206(0x0f5a6866) reqid=0(0x00000000)
E: 3des-cbc 1786ff2d 76e3b6bb 69b21e0e e0bdd83e a993c063 7fb17d15
A: hmac-sha1 53985951 232ffa3b 915f8aea 921c775a 00b20759
seq=0x00000009 replay=4 flags=0x00000000 state=dying
created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003
diff: 26(s) hard: 30(s) soft: 24(s)
last: Mar 5 12:13:52 2003 hard: 0(s) soft: 0(s)
current: 1264(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 9 hard: 0 soft: 0
sadb_seq=2 pid=75781 refcnt=3
hostA hostB
esp mode=transport spi=68215519(0x0410e2df) reqid=0(0x00000000)
E: 3des-cbc ed219090 5d6f888a e8802825 721304be 93e378a2 0b0386c1
A: hmac-sha1 d5cbeafd bc53fd2b 1fc793e3 a7ba645f acd15afb
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003
diff: 1(s) hard: 30(s) soft: 24(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=75781 refcnt=1
hostA hostB
esp mode=transport spi=29715957(0x01c56df5) reqid=0(0x00000000)
E: 3des-cbc ba32a2af 132d3b56 59b26bcf bb094266 2092da1c c598213b
A: hmac-sha1 9132f5a9 c5eebd8f cb1bb01d 681a4ff6 1bd042f3
seq=0x0000000a replay=4 flags=0x00000000 state=dying
created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003
diff: 26(s) hard: 30(s) soft: 24(s)
last: Mar 5 12:14:00 2003 hard: 0(s) soft: 0(s)
current: 1716(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 10 hard: 0 soft: 0
sadb_seq=0 pid=75781 refcnt=1
root on gateway#
root on gateway# setkey -FP; setkey -F ; ping 192.168.250.33
PING 192.168.250.33 (192.168.250.33): 56 data bytes
64 bytes from 192.168.250.33: icmp_seq=0 ttl=64 time=35.470 ms
64 bytes from 192.168.250.33: icmp_seq=1 ttl=64 time=33.644 ms
64 bytes from 192.168.250.33: icmp_seq=2 ttl=64 time=33.889 ms
64 bytes from 192.168.250.33: icmp_seq=3 ttl=64 time=33.670 ms
64 bytes from 192.168.250.33: icmp_seq=4 ttl=64 time=34.687 ms
64 bytes from 192.168.250.33: icmp_seq=5 ttl=64 time=33.907 ms
^C
--- 192.168.250.33 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max/stddev = 33.644/34.211/35.470/0.661 ms
root on gateway# ping 192.168.250.2
PING 192.168.250.2 (192.168.250.2): 56 data bytes
64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=35.012 ms
64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=34.409 ms
64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=34.092 ms
^C
--- 192.168.250.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 34.092/34.504/35.012/0.382 ms
root on gateway# setkey -f /etc/ipsec.conf
root on gateway# ping 192.168.250.2
PING 192.168.250.2 (192.168.250.2): 56 data bytes
64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=37.455 ms
64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=37.240 ms
64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=37.909 ms
^C
--- 192.168.250.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 37.240/37.535/37.909/0.279 ms
root on gateway# ping 192.168.250.33
PING 192.168.250.33 (192.168.250.33): 56 data bytes
^C
--- 192.168.250.33 ping statistics ---
23 packets transmitted, 0 packets received, 100% packet loss
regards
Chris Scott
MK NOC
01908223901
IMPORTANT NOTICE:
This email may be confidential, may be legally privileged, and is for the
intended recipient only. Access, disclosure, copying, distribution, or
reliance on any of it by anyone else is prohibited and may be a criminal
offence. Please delete if obtained in error and email confirmation to the
sender.
regards
Chris Scott
IMPORTANT NOTICE:
This email may be confidential, may be legally privileged, and is for the
intended recipient only. Access, disclosure, copying, distribution, or
reliance on any of it by anyone else is prohibited and may be a criminal
offence. Please delete if obtained in error and email confirmation to the
sender.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001901c2ecfb$83e82210$c4102c0a>