Date: Tue, 27 May 2008 21:17:53 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Tom Judge <tom@tomjudge.com> Cc: net@FreeBSD.org Subject: Re: ICMP Error transmission/response over IPSec tunnels Message-ID: <20080527211250.M65662@maildrop.int.zabbadoz.net> In-Reply-To: <483C7858.5000302@tomjudge.com> References: <483C51EE.7040700@tomjudge.com> <20080527201331.L65662@maildrop.int.zabbadoz.net> <483C70A9.2060500@tomjudge.com> <20080527204111.F65662@maildrop.int.zabbadoz.net> <483C7858.5000302@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 May 2008, Tom Judge wrote: > Bjoern A. Zeeb wrote: >> On Tue, 27 May 2008, Tom Judge wrote: >> >> Hi, >> >>> Yes we do indeed see a reply from node b. It is good to here that this is >>> a known issue. >>> >>> The IPSec configuration is a gif ipip tunnel that is then encrypted with >>> IPSec using esp in tunnel mode as per the ipsec vpn section in the >>> handbook. >> >> 1) if you do not need the ipip tunnel because you need an interface >> and "link state changes" only go with the IPsec tunnel mode. >> >> 2) If you need the gi tunnel on top and routing, use IPsec transport >> mode. >> >> (ignore the handbook, try to understand it;) > > I have 13 nodes in a parital mesh running ospf for routing. It would not be > trivial for me to switch from tunnel to transport mode. Also I have not > tested quagga in when the ipsec is in transport mode, and I guess I do need > interfaces to use with quagga. I may test fixing this additional overhead, > but as they say if it's not broken don't fix it. Ok. So basically you have 12 gif tunnels on each node, if it would be a full mesh. So it's less. So a) you have two endpoints for the gif tunnel which are your Router A, Router B endpoint. So the only thing you would need to secure is your IPIP (gif) tunnel between two nodes (Router A, B). This is what transport mode is for. Running a traceroute, the IP stack would need to send the icmp ttl exceeded packet back via the gif tunnel which then would have to be encrypted. To my memory the problem is that this does not work. You could try to find out at which layer by running tcpdump on the (external) interface and the gif interfaces and if you have enc0 to see if/where the icmp possibly shows up. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080527211250.M65662>