Re: Gif IPTunnel networkA-to-networkB not work

From: Lars Eggert (larse_at_ISI.EDU)
Date: 08/27/03

  • Next message: Mike Silbersack: "Re: mbuf usage for an idle machine" 
    Date: Wed, 27 Aug 2003 08:45:23 -0700
To: "Oldach, Helge" <Helge.Oldach@atosorigin.com>

    Oldach, Helge wrote:
    >
    > You must have the networks connected (on the public side), but when
    > using IPSec your gif tunnel won't really be used. It is just sort of
    > a "placeholder" to get the routing correct.

    It is not a good idea to use gifs in parallel with IPsec tunnel mode.,
    to do this routing trick. Please see the "options FAST_IPSEC & tunnels"
    thread on net@ from circa 4/1/2003.

    Basically, that approach creates two parallel virtual topologies, one
    out of IPIP tunnels, and one out of IPsec tunnel mode SAs. People often
    do this, because they want to route traffic into an IPsec tunnel, and
    the SA itself doesn't have a route entry, since they aren't devices.
    When using IPIP tunnels with tunnel mode, they abuse the route created
    by the gif device for routing, but packets will be hijacked by the
    tunnel mode SA, so they never actually enter gif processing (IPsec does
    the IPIP encapsulation internally.)

    Using IPIP tunnels with transport mode is valid, since packets will
    actually flow through the gif device, and get IPsec'ed after they are
    IPIP encapsulated. (In multihop topologies, they'll then need to be IPIP
    encapsulated again - the virtual network needs both virtual link and
    network layers.)

    It doesn't give you the full expressiveness of IPsec selectors, but it's
    good enough for many VPN schemes (and routing works!)

    See
    ftp://ftp.rfc-editor.org/internet-drafts/draft-touch-ipsec-vpn-05.txt.
    It is currently under in the IESG timeout before going to Informational.

    Lars 

    -- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

  • Next message: Mike Silbersack: "Re: mbuf usage for an idle machine"

    Relevant Pages

    • Re: IPSec tcp session stalling ( me too ) ...
      ... As soon as a gif interface is involved, ... checked with udp) session running inside the gif tunnel breaks. ... When either not using IPSec, not enabling pf or not using gif - ...
      (freebsd-net)
    • Re: FW: iHEADS UP: ipsec packet filtering change
      ... >> You don't really need the gif tunnels for ipsec. ... gifconfig stuff from an IPsec tunnel I administer and lo and behold it ... if I could resolve another problem where ipfw treated packets coming ...
      (freebsd-stable)
    • Re: ICMP Error transmission/response over IPSec tunnels
      ... The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. ... Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. ...
      (freebsd-net)
    • Re: ICMP Error transmission/response over IPSec tunnels
      ... The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. ... Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. ...
      (freebsd-net)
    • Re: Wifi ipsec freebsd
      ... I too have set up a ipsec secured wireless network and this article ... Tunnel vs. transport mode was something I never fully understood. ... connection over wifi between a FreeBSD gateway and a Windows laptop. ...
      (freebsd-questions)