Date: Mon, 27 Sep 2004 12:22:55 +0100 From: Brian Somers <brian@Awfulhak.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-net@freebsd.org Subject: Re: ICMP_UNREACH_NEEDFRAG broken in -current Message-ID: <20040927122255.71d60282@dev.lan.Awfulhak.org> In-Reply-To: <Pine.BSF.4.53.0409271058030.11069@e0-0.zab2.int.zabbadoz.net> References: <20040927113624.4a342952@dev.lan.Awfulhak.org> <Pine.BSF.4.53.0409271058030.11069@e0-0.zab2.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Sep 2004 10:59:54 +0000 (UTC), "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
> On Mon, 27 Sep 2004, Brian Somers wrote:
>
> > The outside network segment is an IPSEC configuration with gif interfaces
> ...
> > Comments/suggestions/flames?
>
> most likely unrelated but I need input on this so ...
> why do you need gif(4) ?
With an ipsec-only solution, talking from a gateway box to an internal
host on the ``other'' network doesn't work nicely.... especially if the
internal host on the other network doesn't have a route for it. In
my scenario, some 172.16.10.0/24 machines don't have a default route
and therefore can't reach 80.177.173.150.
Using gif results in traffic from the gatway box using the gateway boxes
internal IP number as the source rather than it's external IP number.
This allows a simple security policy:
172.16.10.212 $ cat /etc/ipsec.conf
spdadd 80.177.173.150/32 194.242.157.46/32 ip4 -P in ipsec esp/transport//require;
spdadd 194.242.157.46/32 80.177.173.150/32 ip4 -P out ipsec esp/transport//require;
172.16.0.1 $ ifconfig -a
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
ether 00:40:f4:b1:1c:85
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 80.177.173.150 --> 194.242.157.46
inet 172.16.0.1 --> 172.16.10.212 netmask 0xffffffff
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 80.177.173.150 --> 217.47.133.74 netmask 0xffffffff
Opened by PID 876
172.16.10.212 $ ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 194.242.157.46 netmask 0xfffffff8 broadcast 194.242.157.47
ether 00:03:ba:2d:d9:f0
media: Ethernet autoselect (1000baseSX <full-duplex>)
status: active
bge2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 172.16.10.212 netmask 0xffffff00 broadcast 172.16.10.255
ether 00:03:ba:2d:d9:f1
media: Ethernet autoselect (1000baseSX <full-duplex>)
status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 194.242.157.46 --> 80.177.173.150
inet 172.16.10.212 --> 172.16.0.1 netmask 0xffffffff
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040927122255.71d60282>