Date: Tue, 18 Mar 2003 09:59:30 -0700 From: "Brent Wiese" <brently@bjwcs.com> To: "'chris scott'" <chris.scott@uk.tiscali.com>, <freebsd-questions@freebsd.org> Subject: RE: ipsec and gre tunnels Message-ID: <005801c2ed6f$be607360$0a0114ac@home.bjwcs.com> In-Reply-To: <001901c2ecfb$83e82210$c4102c0a@viper>
next in thread | previous in thread | raw e-mail | index | archive | help
It's a common mistake to do both gif and ipsec. I realize many of the handbooks you find say to do it. They're wrong. They've been contacted and most won't change them, which just misleads more people. Use ipsec in tunnel mode instead of transport and ditch gif. > > Hi, > > I currently have a vpn setup between a few lans using > freebsd, ipsec and gif tunnels It all works perfectly. > However I noticed that a new pseudo device for gre tunnels. > As the overhead it supposed to be less for this type of > tunnel I decided to test things out. I cvs and made world and > kernel on the two test machines. No problems here. I tested > original tunnels, all working ok and racoon was doing key > exchange no problems. I setup the test gre tunnel with the > following syntax > > > > /sbin/ifconfig gre0 create tunnel hostA hostB > /sbin/ifconfig gre0 192.168.250.34 192.168.250.33 netmask > 255.255.255.252 > /sbin/route add 192.168.250.33/30 -interface gre0 > /sbin/ifconfig gre0 up > > > Cool the tunnel is up and seems to work ok. Now I implement > the following ipsec policy which is just an extension of what > I was using before for the gif tunnels > > > spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec > esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in > ipsec esp/transport//require; > > # these 2 rules are so i can connect to my ethernet dsl modem > # without the traffic getting encrypted, which is bad > > spdadd 10.0.0.0/24 10.0.0.0/24 gre -P out none ; > spdadd 10.0.0.0/24 10.0.0.0/24 gre -P in none ; > > spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec > esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in > ipsec esp/transport//require; > > > Hmm, now the tunnel doesn't work. Key exchange seems to be ok > as the gif tunnel is still working. Does anyone have any idea > why the tunnel should stop working? The man page for setkey > as a mysterious reference under the upperspec description > > We have many protocols in > /etc/protocols, but protocols except of TCP, UDP and > ICMP may not > be suitable to use with IPsec. You have to consider > and be care- > ful to use them. icmp tcp udp all protocols > > Could gre be one of these protocols and if so why? > > > root on gateway# ifconfig gre0 > gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476 > tunnel inet hostB --> hostA > inet 192.168.250.34 --> 192.168.250.33 netmask > 0xfffffffc root on gateway# ifconfig gif0 > gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 > tunnel inet hostB --> hostA > inet 192.168.250.1 --> 192.168.250.2 netmask > 0xfffffffc root on gateway# ping 192.168.250.33 PING > 192.168.250.33 (192.168.250.33): 56 data bytes ^C > --- 192.168.250.33 ping statistics --- > 6 packets transmitted, 0 packets received, 100% packet loss > root on gateway# ping 192.168.250.1 PING 192.168.250.1 > (192.168.250.1): 56 data bytes ^C > --- 192.168.250.1 ping statistics --- > 5 packets transmitted, 0 packets received, 100% packet loss > root on gateway# ping 192.168.250.2 PING 192.168.250.2 > (192.168.250.2): 56 data bytes 64 bytes from 192.168.250.2: > icmp_seq=0 ttl=64 time=37.682 ms 64 bytes from 192.168.250.2: > icmp_seq=1 ttl=64 time=37.543 ms 64 bytes from 192.168.250.2: > icmp_seq=2 ttl=64 time=37.981 ms 64 bytes from 192.168.250.2: > icmp_seq=3 ttl=64 time=37.159 ms ^C > --- 192.168.250.2 ping statistics --- > 4 packets transmitted, 4 packets received, 0% packet loss > round-trip min/avg/max/stddev = 37.159/37.591/37.981/0.296 ms > root on gateway# setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 > in ipsec > esp/transport//require > spid=1004 seq=5 pid=75744 > refcnt=1 > 10.0.0.0/24[any] 10.0.0.0/24[any] gre > in none > spid=1006 seq=4 pid=75744 > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] gre > in ipsec > esp/transport//require > spid=1008 seq=3 pid=75744 > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] ip4 > out ipsec > esp/transport//require > spid=1003 seq=2 pid=75744 > refcnt=1 > 10.0.0.0/24[any] 10.0.0.0/24[any] gre > out none > spid=1005 seq=1 pid=75744 > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] gre > out ipsec > esp/transport//require > spid=1007 seq=0 pid=75744 > refcnt=1 > root on gateway# setkey -D > hostB hostA > esp mode=transport spi=226290556(0x0d7ceb7c) > reqid=0(0x00000000) > E: 3des-cbc 9ef25cfa f136ecac e6548771 b6675ea5 > 2427613a d8079969 > A: hmac-sha1 fe01a845 3c3288ae 329bdd2e bff2bdb8 19224348 > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003 > diff: 1(s) hard: 30(s) soft: 24(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=3 pid=75781 refcnt=1 > hostB hostA > esp mode=transport spi=257583206(0x0f5a6866) > reqid=0(0x00000000) > E: 3des-cbc 1786ff2d 76e3b6bb 69b21e0e e0bdd83e > a993c063 7fb17d15 > A: hmac-sha1 53985951 232ffa3b 915f8aea 921c775a 00b20759 > seq=0x00000009 replay=4 flags=0x00000000 state=dying > created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003 > diff: 26(s) hard: 30(s) soft: 24(s) > last: Mar 5 12:13:52 2003 hard: 0(s) soft: 0(s) > current: 1264(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 9 hard: 0 soft: 0 > sadb_seq=2 pid=75781 refcnt=3 > hostA hostB > esp mode=transport spi=68215519(0x0410e2df) > reqid=0(0x00000000) > E: 3des-cbc ed219090 5d6f888a e8802825 721304be > 93e378a2 0b0386c1 > A: hmac-sha1 d5cbeafd bc53fd2b 1fc793e3 a7ba645f acd15afb > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Mar 5 12:14:01 2003 current: Mar 5 12:14:02 2003 > diff: 1(s) hard: 30(s) soft: 24(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=1 pid=75781 refcnt=1 > hostA hostB > esp mode=transport spi=29715957(0x01c56df5) > reqid=0(0x00000000) > E: 3des-cbc ba32a2af 132d3b56 59b26bcf bb094266 > 2092da1c c598213b > A: hmac-sha1 9132f5a9 c5eebd8f cb1bb01d 681a4ff6 1bd042f3 > seq=0x0000000a replay=4 flags=0x00000000 state=dying > created: Mar 5 12:13:36 2003 current: Mar 5 12:14:02 2003 > diff: 26(s) hard: 30(s) soft: 24(s) > last: Mar 5 12:14:00 2003 hard: 0(s) soft: 0(s) > current: 1716(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 10 hard: 0 soft: 0 > sadb_seq=0 pid=75781 refcnt=1 > root on gateway# > > > > > > > root on gateway# setkey -FP; setkey -F ; ping 192.168.250.33 > PING 192.168.250.33 (192.168.250.33): 56 data bytes 64 bytes > from 192.168.250.33: icmp_seq=0 ttl=64 time=35.470 ms 64 > bytes from 192.168.250.33: icmp_seq=1 ttl=64 time=33.644 ms > 64 bytes from 192.168.250.33: icmp_seq=2 ttl=64 time=33.889 > ms 64 bytes from 192.168.250.33: icmp_seq=3 ttl=64 > time=33.670 ms 64 bytes from 192.168.250.33: icmp_seq=4 > ttl=64 time=34.687 ms 64 bytes from 192.168.250.33: > icmp_seq=5 ttl=64 time=33.907 ms ^C > --- 192.168.250.33 ping statistics --- > 6 packets transmitted, 6 packets received, 0% packet loss > round-trip min/avg/max/stddev = 33.644/34.211/35.470/0.661 ms > > root on gateway# ping 192.168.250.2 > PING 192.168.250.2 (192.168.250.2): 56 data bytes > 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=35.012 ms > 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=34.409 ms > 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=34.092 ms ^C > --- 192.168.250.2 ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 34.092/34.504/35.012/0.382 ms > > root on gateway# setkey -f /etc/ipsec.conf > > root on gateway# ping 192.168.250.2 > PING 192.168.250.2 (192.168.250.2): 56 data bytes > 64 bytes from 192.168.250.2: icmp_seq=0 ttl=64 time=37.455 ms > 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=37.240 ms > 64 bytes from 192.168.250.2: icmp_seq=2 ttl=64 time=37.909 ms ^C > --- 192.168.250.2 ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 37.240/37.535/37.909/0.279 ms > root on gateway# ping 192.168.250.33 PING 192.168.250.33 > (192.168.250.33): 56 data bytes ^C > --- 192.168.250.33 ping statistics --- > 23 packets transmitted, 0 packets received, 100% packet loss regards > > > Chris Scott > MK NOC > > 01908223901 > > > IMPORTANT NOTICE: > This email may be confidential, may be legally privileged, > and is for the intended recipient only. Access, disclosure, > copying, distribution, or reliance on any of it by anyone > else is prohibited and may be a criminal offence. Please > delete if obtained in error and email confirmation to the sender. > > > regards > > > Chris Scott > > > > > IMPORTANT NOTICE: > This email may be confidential, may be legally privileged, > and is for the intended recipient only. Access, disclosure, > copying, distribution, or reliance on any of it by anyone > else is prohibited and may be a criminal offence. Please > delete if obtained in error and email confirmation to the sender. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005801c2ed6f$be607360$0a0114ac>