From owner-freebsd-net Tue Oct 1 10:52:52 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A091D37B401 for ; Tue, 1 Oct 2002 10:52:50 -0700 (PDT) Received: from rerun.avayactc.com (rerun.avayactc.com [199.93.237.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D9E243E3B for ; Tue, 1 Oct 2002 10:52:49 -0700 (PDT) (envelope-from mcambria@avaya.com) Received: by rerun.avayactc.com with Internet Mail Service (5.5.2653.19) id ; Tue, 1 Oct 2002 13:51:11 -0400 Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EE06@rerun.avayactc.com> From: "Cambria, Mike" To: "'freebsd-net@freebsd.org'" Subject: IPsec & Multiple WAN links Date: Tue, 1 Oct 2002 13:51:03 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've been running FreeBSD on 2 boxes, each with their own WAN links for over 18 months or so. Each box has its own WAN link (one uses T1 leased line to a remote site, the other uses DSL to an ISP.) The ISP link runs IPsec and racoon The other end of the IPsec tunnel is a VPN appliance. The ISP (and IPsec tunnels) is used to backup the T1. I now want to move both WAN links to one FreeBSD box (in time on Soekris HW.) I am having trouble duplicating the desired IPsec policies when both WAN links are in one box, and only one needs (should) have IPsec enabled on it. How can I define a SPD for just the interface that I need? Using setkey, spdadd doesn't let me specify which interface IPsec is to be defined for. Before: With the working config, (i.e. two boxes), since there is only one WAN link per box, the SPD (and IPsec) only exist on the box connected to the Internet. When a packet destine to a subnet routes via the T1 "leased line" box, (the normal case) things work. When this T1 is up, routing makes this the shortest path. When a packet destined to this same subnet follows the default route to the IPsec box, (e.g. T1 link is down) the SPD on the FreeBSD box applies the defined IPsec policy (e.g. tunnel & 3DES) and sends the packet to the VPN appliance at the other end of the tunnel. After: When both WAN links are in one box, the packet is always encrypted and send to the tunnel endpoint, but via the T1 link. Since the tunnel endpoint is the public side of the VPN appliance, the packet is dropped as it reaches that device via the private Ethernet port. (This is today, after I had the firewall at the remote end of the T1 stop dropping IPsec packets.) I'm running 4.6-Stable (cvsup'ed both source & ports after 4.6.2). Thanks, MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message