Bjoern A. Zeeb wrote:
On Tue, 27 May 2008, Tom Judge wrote:
Bjoern A. Zeeb wrote:
On Tue, 27 May 2008, Tom Judge wrote:
Hi,
Yes we do indeed see a reply from node b. It is good to here that
this is a known issue.
The IPSec configuration is a gif ipip tunnel that is then encrypted
with IPSec using esp in tunnel mode as per the ipsec vpn section in
the handbook.
1) if you do not need the ipip tunnel because you need an interface
and "link state changes" only go with the IPsec tunnel mode.
2) If you need the gi tunnel on top and routing, use IPsec transport
mode.
(ignore the handbook, try to understand it;)
I have 13 nodes in a parital mesh running ospf for routing. It would
not be trivial for me to switch from tunnel to transport mode. Also I
have not tested quagga in when the ipsec is in transport mode, and I
guess I do need interfaces to use with quagga. I may test fixing this
additional overhead, but as they say if it's not broken don't fix it.
Ok. So basically you have 12 gif tunnels on each node, if it would be
a full mesh. So it's less.
So a) you have two endpoints for the gif tunnel which are your Router
A, Router B endpoint. So the only thing you would need to secure is
your IPIP (gif) tunnel between two nodes (Router A, B). This is what
transport mode is for.
Running a traceroute, the IP stack would need to send the icmp ttl
exceeded packet back via the gif tunnel which then would have to be
encrypted.
To my memory the problem is that this does not work.
You could try to find out at which layer by running tcpdump on the
(external) interface and the gif interfaces and if you have enc0 to
see if/where the icmp possibly shows up.
I did this by running ng_iface into ng_ksocket(UDP) and
using transport mode for all the UDP packets
I had scripts to do it all, but unfortunately it was at
a previous company.
I allocated a number to each site from 1 to 8 and the endpoints
inside the tunnels were 10.42.ME.YOU 10.42.YOU.ME.
The scripts were identical on each machine, and to add a new machine
I just added it to the list in the script, distributed the new
script, and ran it again on each machine..
/bz
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
