ICMP Error transmission/response over IPSec tunnels
Julian Elischer
julian at elischer.org
Wed May 28 00:21:43 UTC 2008
Bjoern A. Zeeb wrote:
> On Tue, 27 May 2008, Tom Judge wrote:
>
>> Bjoern A. Zeeb wrote:
>>> On Tue, 27 May 2008, Tom Judge wrote:
>>>
>>> Hi,
>>>
>>>> Yes we do indeed see a reply from node b. It is good to here that
>>>> this is a known issue.
>>>>
>>>> The IPSec configuration is a gif ipip tunnel that is then encrypted
>>>> with IPSec using esp in tunnel mode as per the ipsec vpn section in
>>>> the handbook.
>>>
>>> 1) if you do not need the ipip tunnel because you need an interface
>>> and "link state changes" only go with the IPsec tunnel mode.
>>>
>>> 2) If you need the gi tunnel on top and routing, use IPsec transport
>>> mode.
>>>
>>> (ignore the handbook, try to understand it;)
>>
>> I have 13 nodes in a parital mesh running ospf for routing. It would
>> not be trivial for me to switch from tunnel to transport mode. Also I
>> have not tested quagga in when the ipsec is in transport mode, and I
>> guess I do need interfaces to use with quagga. I may test fixing this
>> additional overhead, but as they say if it's not broken don't fix it.
>
> Ok. So basically you have 12 gif tunnels on each node, if it would be
> a full mesh. So it's less.
>
> So a) you have two endpoints for the gif tunnel which are your Router
> A, Router B endpoint. So the only thing you would need to secure is
> your IPIP (gif) tunnel between two nodes (Router A, B). This is what
> transport mode is for.
>
> Running a traceroute, the IP stack would need to send the icmp ttl
> exceeded packet back via the gif tunnel which then would have to be
> encrypted.
>
> To my memory the problem is that this does not work.
>
> You could try to find out at which layer by running tcpdump on the
> (external) interface and the gif interfaces and if you have enc0 to
> see if/where the icmp possibly shows up.
I did this by running ng_iface into ng_ksocket(UDP) and
using transport mode for all the UDP packets
I had scripts to do it all, but unfortunately it was at
a previous company.
I allocated a number to each site from 1 to 8 and the endpoints
inside the tunnels were 10.42.ME.YOU 10.42.YOU.ME.
The scripts were identical on each machine, and to add a new machine
I just added it to the list in the script, distributed the new
script, and ran it again on each machine..
>
> /bz
>
More information about the freebsd-net
mailing list