Re: ICMP Error transmission/response over IPSec tunnels

On Tue, 27 May 2008, Tom Judge wrote:

Bjoern A. Zeeb wrote:
On Tue, 27 May 2008, Tom Judge wrote:

Hi,

Yes we do indeed see a reply from node b. It is good to here that this is a known issue.

The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook.

1) if you do not need the ipip tunnel because you need an interface
and "link state changes" only go with the IPsec tunnel mode.

2) If you need the gi tunnel on top and routing, use IPsec transport
mode.

(ignore the handbook, try to understand it;)

I have 13 nodes in a parital mesh running ospf for routing. It would not be trivial for me to switch from tunnel to transport mode. Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. I may test fixing this additional overhead, but as they say if it's not broken don't fix it.

Ok. So basically you have 12 gif tunnels on each node, if it would be
a full mesh. So it's less.

So a) you have two endpoints for the gif tunnel which are your Router
A, Router B endpoint. So the only thing you would need to secure is
your IPIP (gif) tunnel between two nodes (Router A, B). This is what
transport mode is for.

Running a traceroute, the IP stack would need to send the icmp ttl
exceeded packet back via the gif tunnel which then would have to be
encrypted.

To my memory the problem is that this does not work.

You could try to find out at which layer by running tcpdump on the
(external) interface and the gif interfaces and if you have enc0 to
see if/where the icmp possibly shows up.

/bz

--
Bjoern A. Zeeb Stop bit received. Insert coin for new game.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: IPSec tcp session stalling ( me too ) ...
    ... As soon as a gif interface is involved, ... checked with udp) session running inside the gif tunnel breaks. ... When either not using IPSec, not enabling pf or not using gif - ...
    (freebsd-net)
  • Re: FW: iHEADS UP: ipsec packet filtering change
    ... >> You don't really need the gif tunnels for ipsec. ... gifconfig stuff from an IPsec tunnel I administer and lo and behold it ... if I could resolve another problem where ipfw treated packets coming ...
    (freebsd-stable)
  • Re: ICMP Error transmission/response over IPSec tunnels
    ... The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. ... Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. ...
    (freebsd-net)
  • Re: VPN with FAST_IPSEC and ipsec tools
    ... FreeBSD handbook, which last time I looked gave a most bizarre and ... IPSEC *tunnel* mode). ... use GIF running on top of IPSEC _transport_ mode (e.g. those running ...
    (freebsd-net)
  • Re: ICMP Error transmission/response over IPSec tunnels
    ... The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. ... Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. ... Please understand that I was not asking for you to fix this problem just for some pointers into where to start looking. ...
    (freebsd-net)