From owner-freebsd-net@FreeBSD.ORG  Tue Dec 16 14:56:28 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 83D7416A4CE
	for <freebsd-net@FreeBSD.org>; Tue, 16 Dec 2003 14:56:28 -0800 (PST)
Received: from musique.teaser.net (musique.teaser.net [213.91.2.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E860943D35
	for <freebsd-net@FreeBSD.org>; Tue, 16 Dec 2003 14:56:25 -0800 (PST)
	(envelope-from e-masson@kisoft-services.com)
Received: from t39bsdems.interne.kisoft-services.com
	(nantes.kisoft-services.com [193.56.60.243])
	by musique.teaser.net (Postfix) with ESMTP id AB0A672505
	for <freebsd-net@FreeBSD.org>; Tue, 16 Dec 2003 23:56:24 +0100 (CET)
Received: by t39bsdems.interne.kisoft-services.com (Postfix, from userid 1001)
	id EDF605AA46; Tue, 16 Dec 2003 23:56:16 +0100 (CET)
To: Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>
From: Eric Masson <e-masson@kisoft-services.com>
X-Operating-System: FreeBSD 4.9-STABLE i386
Date: Tue, 16 Dec 2003 23:56:16 +0100
Message-ID: <86brq8s773.fsf@t39bsdems.interne.kisoft-services.com>
User-Agent: Gnus/5.1003 (Gnus v5.10.3) XEmacs/21.4 (Portable Code,
 berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Subject: gre tunnel & ipsec transport mode
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2003 22:56:28 -0000

Hello,

I'm experimenting dynamic routing protocols in a vpn setup. Ipsec tunnel
mode is not applicable here as selectors do not appear in system routing
table.

So I've tried to use gre tunnels beetween lans and then protect them by
ipsec transport mode beetween gateways.

It seems that gre pseudo interfaces & ipsec stack don't interact very
well in this setup (4.8-RELEASE-p14 boxes).

I've set the following test case :

192.168.197.* --- Router A  --- gre tunnel--- Router B --- 10.168.18.*
                      \                          /
                       +--------Internet-------+

Gre tunnels setup :

Each router has a gre tunnel to its peer and the associated network
route.

Traffic from 192.168.197/24 hosts to 10.168.18/24 hosts flows fine,
tcpdump reports gre packets beetween the two routers.

Ipsec transport mode setup :

Each router has a outgoing & incoming transport ipsec policies (ah+esp)
to its peer for any protocol.

Isakmpd (racoon) is active.

Direct connection from one router to the other (ssh, telnet...) sees
ipsec SP applied and works fine.

Mixing the two setups :

Ipsec transformed gre packets leave originating box to the other tunnel
endpoint (tcpdump reports ah+esp packets flowing outside).

On destination box, tcpdump shows incoming ipsec gre transformed
packets, but these packets don't make their way to internal interface,
and are silently dropped (no log anywhere)

I've tried to look at /sys/net/ip_input.c, /sys/net/in_gif.c &
/sys/net/ip_gre.c to understand the case, as gif tunnels get
encapsulated correctly, but no immediate fix came to my mind but I must
say I'm no C guru nor kernel hacker :/

Has anyone any idea or fix on this case ?

TIA

Regards

Eric Masson

-- 
 je pense pas que ce soit toi....tu es bien trop vicieux pour agir de
 cette façon. Toi ton genre, c'est plus de contacter banque direct en
 esperant que je n'auras pas mes cadeaux de parrainages!!!!!
 -+- JD in <http://www.le-gnu.net> : Petit neuneu Noël -+-