List Info

Thread: Re: ICMP Error transmission/response over IPSec tunnels
Re: ICMP Error transmission/response over IPSec tunnels
country flaguser name
United States		 2008-05-27 19:21:48 
Bjoern A. Zeeb wrote:
> On Tue, 27 May 2008, Tom Judge wrote:
> 
>> Bjoern A. Zeeb wrote:
>>> On Tue, 27 May 2008, Tom Judge wrote:
>>>
>>> Hi,
>>>
>>>> Yes we do indeed see a reply from node b. 
It is good to here that 
>>>> this is a known issue.
>>>>
>>>> The IPSec configuration is a gif ipip
tunnel that is then encrypted 
>>>> with IPSec using esp in tunnel mode as per
the ipsec vpn section in 
>>>> the handbook.
>>>
>>> 1) if you do not need the ipip tunnel because
you need an interface
>>> and "link state changes" only go with
the IPsec tunnel mode.
>>>
>>> 2) If you need the gi tunnel on top and
routing, use IPsec transport
>>> mode.
>>>
>>> (ignore the handbook, try to understand it;)
>>
>> I have 13 nodes in a parital mesh running ospf for
routing.  It would 
>> not be trivial for me to switch from tunnel to
transport mode.  Also I 
>> have not tested quagga in when the ipsec is in
transport mode, and I 
>> guess I do need interfaces to use with quagga.  I
may test fixing this 
>> additional overhead, but as they say if it's not
broken don't fix it.
> 
> Ok. So basically you have 12 gif tunnels on each node,
if it would be
> a full mesh. So it's less.
> 
> So a) you have two endpoints for the gif tunnel which
are your Router
> A, Router B endpoint. So the only thing you would need
to secure is
> your IPIP (gif) tunnel between two nodes (Router A, B).
This is what
> transport mode is for.
> 
> Running a traceroute, the IP stack would need to send
the icmp ttl
> exceeded packet back via the gif tunnel which then
would have to be
> encrypted.
> 
> To my memory the problem is that this does not work.
> 
> You could try to find out at which layer by running
tcpdump on the
> (external) interface and the gif interfaces and if you
have enc0 to
> see if/where the icmp possibly shows up.

I did this by running ng_iface into ng_ksocket(UDP) and
using transport mode for all the UDP packets

I had scripts to do it all, but unfortunately it was at
a previous company.

I allocated a number to each site from 1 to 8 and the
endpoints
inside the tunnels were 10.42.ME.YOU  10.42.YOU.ME.

The scripts were identical on each machine, and to add a new
machine
I just added it to the list in the script, distributed the
new
script, and ran it again on each machine..





> 
> /bz
> 

_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )