Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Dec 2003 23:56:16 +0100
From:      Eric Masson <e-masson@kisoft-services.com>
To:        Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>
Subject:   gre tunnel & ipsec transport mode
Message-ID:  <86brq8s773.fsf@t39bsdems.interne.kisoft-services.com>
next in thread | raw e-mail | index | archive | help 
Hello,

I'm experimenting dynamic routing protocols in a vpn setup. Ipsec tunnel
mode is not applicable here as selectors do not appear in system routing
table.

So I've tried to use gre tunnels beetween lans and then protect them by
ipsec transport mode beetween gateways.

It seems that gre pseudo interfaces & ipsec stack don't interact very
well in this setup (4.8-RELEASE-p14 boxes).

I've set the following test case :

192.168.197.* --- Router A  --- gre tunnel--- Router B --- 10.168.18.*
                      \                          /
                       +--------Internet-------+

Gre tunnels setup :

Each router has a gre tunnel to its peer and the associated network
route.

Traffic from 192.168.197/24 hosts to 10.168.18/24 hosts flows fine,
tcpdump reports gre packets beetween the two routers.

Ipsec transport mode setup :

Each router has a outgoing & incoming transport ipsec policies (ah+esp)
to its peer for any protocol.

Isakmpd (racoon) is active.

Direct connection from one router to the other (ssh, telnet...) sees
ipsec SP applied and works fine.

Mixing the two setups :

Ipsec transformed gre packets leave originating box to the other tunnel
endpoint (tcpdump reports ah+esp packets flowing outside).

On destination box, tcpdump shows incoming ipsec gre transformed
packets, but these packets don't make their way to internal interface,
and are silently dropped (no log anywhere)

I've tried to look at /sys/net/ip_input.c, /sys/net/in_gif.c &
/sys/net/ip_gre.c to understand the case, as gif tunnels get
encapsulated correctly, but no immediate fix came to my mind but I must
say I'm no C guru nor kernel hacker :/

Has anyone any idea or fix on this case ?

TIA

Regards

Eric Masson

-- 
 je pense pas que ce soit toi....tu es bien trop vicieux pour agir de
 cette façon. Toi ton genre, c'est plus de contacter banque direct en
 esperant que je n'auras pas mes cadeaux de parrainages!!!!!
 -+- JD in <http://www.le-gnu.net>; : Petit neuneu Noël -+-

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86brq8s773.fsf>