Re: ICMP_UNREACH_NEEDFRAG broken in -current

• Previous message: FreeBSD bugmaster: "Current problem reports assigned to you"
• In reply to: Bjoern A. Zeeb: "Re: ICMP_UNREACH_NEEDFRAG broken in -current"
• Next in thread: Bjoern A. Zeeb: "Re: gif(4) & ipsec [was: ICMP_UNREACH_NEEDFRAG broken in -current]"
• Reply: Bjoern A. Zeeb: "Re: gif(4) & ipsec [was: ICMP_UNREACH_NEEDFRAG broken in -current]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 27 Sep 2004 12:22:55 +0100
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>

On Mon, 27 Sep 2004 10:59:54 +0000 (UTC), "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
> On Mon, 27 Sep 2004, Brian Somers wrote:
>
> > The outside network segment is an IPSEC configuration with gif interfaces
> ...
> > Comments/suggestions/flames?
>
> most likely unrelated but I need input on this so ...
> why do you need gif(4) ?

With an ipsec-only solution, talking from a gateway box to an internal
host on the ``other'' network doesn't work nicely.... especially if the
internal host on the other network doesn't have a route for it. In
my scenario, some 172.16.10.0/24 machines don't have a default route
and therefore can't reach 80.177.173.150.

Using gif results in traffic from the gatway box using the gateway boxes
internal IP number as the source rather than it's external IP number.
This allows a simple security policy:

172.16.10.212 $ cat /etc/ipsec.conf
spdadd 80.177.173.150/32 194.242.157.46/32 ip4 -P in ipsec esp/transport//require;
spdadd 194.242.157.46/32 80.177.173.150/32 ip4 -P out ipsec esp/transport//require;

172.16.0.1 $ ifconfig -a
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        ether 00:40:f4:b1:1c:85
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 80.177.173.150 --> 194.242.157.46
        inet 172.16.0.1 --> 172.16.10.212 netmask 0xffffffff
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 80.177.173.150 --> 217.47.133.74 netmask 0xffffffff
        Opened by PID 876

172.16.10.212 $ ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet 194.242.157.46 netmask 0xfffffff8 broadcast 194.242.157.47
        ether 00:03:ba:2d:d9:f0
        media: Ethernet autoselect (1000baseSX <full-duplex>)
        status: active
bge2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet 172.16.10.212 netmask 0xffffff00 broadcast 172.16.10.255
        ether 00:03:ba:2d:d9:f1
        media: Ethernet autoselect (1000baseSX <full-duplex>)
        status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 194.242.157.46 --> 80.177.173.150
        inet 172.16.10.212 --> 172.16.0.1 netmask 0xffffffff

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: FreeBSD bugmaster: "Current problem reports assigned to you"
• In reply to: Bjoern A. Zeeb: "Re: ICMP_UNREACH_NEEDFRAG broken in -current"
• Next in thread: Bjoern A. Zeeb: "Re: gif(4) & ipsec [was: ICMP_UNREACH_NEEDFRAG broken in -current]"
• Reply: Bjoern A. Zeeb: "Re: gif(4) & ipsec [was: ICMP_UNREACH_NEEDFRAG broken in -current]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages RE: TCP/IP Stack Hardening ... When PMTU is disabled, the default MTU is 1500 for local subnet and 576 for ... disabling PMTU is probably not the most important network stack ... I've not found disabling ICMP redirects a problem as long as the routing ... (Focus-Microsoft) Re: troubles with outgoing tcp/ip after sp1 ... I recently had the same trouble on our network and came within a week ... Whenever I would hack registries and lower my MTU, ... Database replications and DTS packages failing, ... responsible for what you do, blah blah blah, cover my butt, etc. ... (microsoft.public.windows.server.networking) Re: Browser hangs Web site cannnot be displayed ... >All anti-virus software was uninstalled with the system restore. ... >windows firewall on or off does not make a difference. ... >MTU settings to 1500 and various increments below that but that didn't help. ... # Another computer, on this same network, works fine. ... (microsoft.public.windowsxp.network_web) Re: Remote HMC Access setup ... Subject: Remote HMC Access setup ... to allow the MTU size. ... While our network colleagues are investigating the ... For IBM-MAIN subscribe / signoff / archive access instructions, ... (bit.listserv.ibm-main) Re: xp sp2 broke shiva vpn client ... I recently had the same trouble on our network and came within a week ... Whenever I would hack registries and lower my MTU, ... SQL Database replications and DTS packages failing, ... responsible for what you do, blah blah blah, cover my butt, etc. ... (microsoft.public.windowsxp.work_remotely)