On 8/18/06, Yu-Shun Wang <[EMAIL PROTECTED]> wrote:
Andrew Pantyukhin wrote:
> On 8/18/06, Yu-Shun Wang <[EMAIL PROTECTED]> wrote:
>> Remko Lodder wrote:
>> > I was looking around for using IPsec services instead of
>> > OpenVPN services, but I found out that with our current
>> > implementation of IPsec, we cannot actually route packets
>> > through the various IPsec hops [1]. OpenBSD adds IPsec
>> > flows in their routing table, making it possible to route
>> > traffic between IPsec tunnels.
>> >
>> > Can someone either confirm my above statement that FreeBSD
>> > is indeed not capable of doing this?
>> It's not an implementation issue, but a design problem with
>> IPsec tunnel mode. See RFC3884:
>>
>> <http://www.ietf.org/rfc/rfc3884.txt>
>>
>> The proposed solution is to use IP-IP tunnel (gif iface in
>> FreeBSD, which you can route) then apply IPsec transport mode
>> on the outer header. Refer to the rfc for more detail.
>>
>> The policy will be different, but we've verified long ago
>> with FreeBSD that it works. The packets on the wire is
>> compatible with regular tunnel mode IPsec.
>
> Eh? gif(4) says:
>
> BUGS
> There are many tunnelling protocol specifications, all defined differ-
> ently from each other. The gif device may not interoperate with peers
> which are based on different specifications, and are picky about outer
> header fields. For example, you cannot usually use gif to talk with
> IPsec devices that use IPsec tunnel mode.
You won't have any problem is you are using IP-IP with IPsec
transport mode on both end. It's been a while, but we did
try one end with IP-IP+IPsec transport and the other with
IPsec tunnel mode. (Of course, you will need to make sure
everything matches, SPI, inner/outer addresses, keys, etc.)
The rfc is dated Sep. 2004, we probably tried it long before
that, so it had to be some older FreeBSD versions. We even
tested with Linux (FreeSWAN back then) as the other end.
I haven't been tracking the gif code, it SHOULD work, but
if something did changed the packets on the wire, then
all bets are off.
Hope this clarified a bit.
Yep, thanks.
I'm actually trying to marry FreeBSD to PIX. The latter only
supports IPSec (tunnel/transport). I'm still struggling with
firewalls on both sides, but tunnel-tunnel works right now.
I'm a bit puzzled because the howto I see
(http://www.bshell.com/projects/freebsd_pix/) uses gif(4)
with tunnel-mode IPSec. Either something is wrong with
the way things work or the author doesn't understand what
he's doing (or both). The bitter thing is that we have a
similar setup in our handbook:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
