gre tunnel & ipsec transport mode
From: Eric Masson (e-masson_at_kisoft-services.com)
Date: 12/16/03
- Previous message: Art Mason: "Cisco Aironet 350 PCI in AP Mode?"
- Next in thread: Helge Oldach: "Re: gre tunnel & ipsec transport mode"
- Reply: Helge Oldach: "Re: gre tunnel & ipsec transport mode"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Mailing List FreeBSD Network <freebsd-net@FreeBSD.org> Date: Tue, 16 Dec 2003 23:56:16 +0100
Hello,
I'm experimenting dynamic routing protocols in a vpn setup. Ipsec tunnel
mode is not applicable here as selectors do not appear in system routing
table.
So I've tried to use gre tunnels beetween lans and then protect them by
ipsec transport mode beetween gateways.
It seems that gre pseudo interfaces & ipsec stack don't interact very
well in this setup (4.8-RELEASE-p14 boxes).
I've set the following test case :
192.168.197.* --- Router A --- gre tunnel--- Router B --- 10.168.18.*
\ /
+--------Internet-------+
Gre tunnels setup :
Each router has a gre tunnel to its peer and the associated network
route.
Traffic from 192.168.197/24 hosts to 10.168.18/24 hosts flows fine,
tcpdump reports gre packets beetween the two routers.
Ipsec transport mode setup :
Each router has a outgoing & incoming transport ipsec policies (ah+esp)
to its peer for any protocol.
Isakmpd (racoon) is active.
Direct connection from one router to the other (ssh, telnet...) sees
ipsec SP applied and works fine.
Mixing the two setups :
Ipsec transformed gre packets leave originating box to the other tunnel
endpoint (tcpdump reports ah+esp packets flowing outside).
On destination box, tcpdump shows incoming ipsec gre transformed
packets, but these packets don't make their way to internal interface,
and are silently dropped (no log anywhere)
I've tried to look at /sys/net/ip_input.c, /sys/net/in_gif.c &
/sys/net/ip_gre.c to understand the case, as gif tunnels get
encapsulated correctly, but no immediate fix came to my mind but I must
say I'm no C guru nor kernel hacker :/
Has anyone any idea or fix on this case ?
TIA
Regards
Eric Masson
-- je pense pas que ce soit toi....tu es bien trop vicieux pour agir de cette façon. Toi ton genre, c'est plus de contacter banque direct en esperant que je n'auras pas mes cadeaux de parrainages!!!!! -+- JD in <http://www.le-gnu.net> : Petit neuneu Noël -+- _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Art Mason: "Cisco Aironet 350 PCI in AP Mode?"
- Next in thread: Helge Oldach: "Re: gre tunnel & ipsec transport mode"
- Reply: Helge Oldach: "Re: gre tunnel & ipsec transport mode"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
