Routing IPSEC packets?
Andrew Pantyukhin
infofarmer at FreeBSD.org
Fri Aug 18 19:58:12 UTC 2006
On 8/18/06, Yu-Shun Wang <yushunwa at isi.edu> wrote:
> Andrew Pantyukhin wrote:
> > On 8/18/06, Yu-Shun Wang <yushunwa at isi.edu> wrote:
> >> Remko Lodder wrote:
> >> > I was looking around for using IPsec services instead of
> >> > OpenVPN services, but I found out that with our current
> >> > implementation of IPsec, we cannot actually route packets
> >> > through the various IPsec hops [1]. OpenBSD adds IPsec
> >> > flows in their routing table, making it possible to route
> >> > traffic between IPsec tunnels.
> >> >
> >> > Can someone either confirm my above statement that FreeBSD
> >> > is indeed not capable of doing this?
>
> >> It's not an implementation issue, but a design problem with
> >> IPsec tunnel mode. See RFC3884:
> >>
> >> <http://www.ietf.org/rfc/rfc3884.txt>
> >>
> >> The proposed solution is to use IP-IP tunnel (gif iface in
> >> FreeBSD, which you can route) then apply IPsec transport mode
> >> on the outer header. Refer to the rfc for more detail.
> >>
> >> The policy will be different, but we've verified long ago
> >> with FreeBSD that it works. The packets on the wire is
> >> compatible with regular tunnel mode IPsec.
> >
> > Eh? gif(4) says:
> >
> > BUGS
> > There are many tunnelling protocol specifications, all defined differ-
> > ently from each other. The gif device may not interoperate with peers
> > which are based on different specifications, and are picky about outer
> > header fields. For example, you cannot usually use gif to talk with
> > IPsec devices that use IPsec tunnel mode.
>
> You won't have any problem is you are using IP-IP with IPsec
> transport mode on both end. It's been a while, but we did
> try one end with IP-IP+IPsec transport and the other with
> IPsec tunnel mode. (Of course, you will need to make sure
> everything matches, SPI, inner/outer addresses, keys, etc.)
> The rfc is dated Sep. 2004, we probably tried it long before
> that, so it had to be some older FreeBSD versions. We even
> tested with Linux (FreeSWAN back then) as the other end.
>
> I haven't been tracking the gif code, it SHOULD work, but
> if something did changed the packets on the wire, then
> all bets are off.
>
> Hope this clarified a bit.
Yep, thanks.
I'm actually trying to marry FreeBSD to PIX. The latter only
supports IPSec (tunnel/transport). I'm still struggling with
firewalls on both sides, but tunnel-tunnel works right now.
I'm a bit puzzled because the howto I see
(http://www.bshell.com/projects/freebsd_pix/) uses gif(4)
with tunnel-mode IPSec. Either something is wrong with
the way things work or the author doesn't understand what
he's doing (or both). The bitter thing is that we have a
similar setup in our handbook:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
More information about the freebsd-net
mailing list