Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 15 Nov 2002 08:53:42 -0600
From:      David Kelly <dkelly@hiwaay.net>
To:        Greg Panula <greg.panula@dolaninformation.com>
Cc:        FreeBSD-stable@FreeBSD.ORG
Subject:   Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?
Message-ID:  <20021115145342.GA4032@grumpy.dyndns.org>
In-Reply-To: <3DD4F4D1.83C77B0@dolaninformation.com>
References:  <200211142157.57459.dkelly@HiWAAY.net> <3DD4F4D1.83C77B0@dolaninformation.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 15, 2002 at 07:21:21AM -0600, Greg Panula wrote:
> David Kelly wrote:
> > 
> > Ran cvsup this morning (11/14/2002), built world, installed world, built
> > and installed new kernel, forgot mergemaster, rebooted, and my VPN to
> > another FreeBSD box was not working. Did not update the other box.
[...]
> > No doubt I'm lost as to how IPsec packets traverse thru these layers.
> > When setting the system up was surprised to find nothing came thru
> > gif0. At least nothing ipfw sees.
> 
> gif tunnels aren't really needed for passing IPSec traffic between
> locations.  I have stopped using them.

Game for any solution. For all I know the gif tunnel isn't doing
anything as I never see any packets over that device. Actually I'd
*like* to see the packets via gif0 simply because they are not really
fxp0 or fxp1 packets until inserted on the internal network.

> You might try adding an allow rule for esp traffic just before your rule
> 600.

My ESP rule is after 600, after divert, and is working. The problem is
the tunneled packets re-routed thru IPFW after being un-tunneled are
appearing on the external NIC when previously they were on the internal
NIC. Is only the incoming packets from the remote internal private
network which are appearing on the wrong NIC.

> Something like:
> ipfw add 550 allow esp from <local> to <remote> out via fxp1
> ipfw add 555 allow esp from <remote> to <local> in via fxp1

Have those already, pretty far down the page and appear to be fairly
active:
05800   678   127611 allow udp from me 500 to <remote> 500 via fxp1
05900   327   100572 allow udp from <remote> 500 to me 500 via fxp1

> If you are using gif tunnels for passing your ipsec traffic thru you
> might want to try not using them.  I ran into some similar funkyness a
> while back.  Packets traverse the gif tunnel, get decrypted and then get
> rejected by the firewall rules for the external interface.
> 
> If you would like a quickie example of ipsec tunnel setup between two
> freebsd boxes, let me know.

Have a suspicion I'm not really using gif altho I've configured the
interfaces. Earlier yesterday found I had not updated an IP address in
the gif0 device which changed a month or to prior. Yet things were still
working.

So yes, please, I'd like to see your notes on how to IPsec tunnel
without gif.

> Sorry, I couldn't really answer why you're setup doesn't work after
> upgrading to 4.7.

That others have had similar problems and might have a way to deal with
it is all I expected. That I've raised a flag and later someone else has
the same thing happen or the developers "get a curious" and look closer
inside would be icing on the cake.

Have an inside "test box" which I build -stable and play around a bit
before doing the same to the important production machines. Tested
before updating. Problem is I don't test the tunnel. Henceforth that
will change.

-- 
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021115145342.GA4032>