On 6/22/2010 3:55 PM, r...@dzie-ciuch.pl wrote:

I managed to do an IP in IP tunnel with IPsec encryption between a
FreeBSD and a cisco router running 12.1(mumble) several years ago.

It is a desirable option if you want to use routing (e.g. ospf). You
can't route an IPSec tunnel (actually, is this now possible with enc0
interfaces?) but you can route to the gif interfaces.


Can you tell me how to use route command to use it like above?

I have to admit that I no longer have access to that client's machines. However, I can describe in broad strokes.

In our case the need was to provide a backup route for a dedicated T1. Occasionally the T1 would fail; so we wanted an alternate route thru the internet. The internet path had to be encrypted; but it was much slower; so we wanted the T1 to have priority. The router terminating the T1 was separate from the router providing general internet access.

This was between a hospital and a service provider. A lot of this could be simplified except that the vendor HAD to provide the server, the circuit, and the router (those of you who support banks or hospitals know what I'm talking about.)

There is already a static route in place for the provider via the T1 router. We first built a simple IPencap tunnel between our FreeBSD box and their cisco. The FreeBSD side used a gif and the cisco side used a tunnel interface. We confirmed that we could ping end-points.

Then we added the ospf to the mix in order to detect when the T1 dropped. We weighted the ospf so that the T1 was prioritized.

Once that was working we added the IPSec as transport between the endpoints of the IpinIP tunnel rather than encapsulation.

That was the only time I've built an IPSec tunnel with that method. Folks with better understanding than I can perhaps explain the pros and cons. In our case, it was a simple expedient to support ospf. I have noticed since then that OS X's GUI only supports this method of IPSec tunneling; so I'm going to have to do it again to support some other customers.

Some parts on the cisco side might appear thusly (I'm doing this from memory so ymmv):

interface FastEthernet0.2
  description VLAN 500 to Comcast router
  encapsulation dot1Q 500
  ip address x.x.x.x 255.255.255.252


The encryption part:

crypto isakmp policy 10
  encr 3des
  hash sha1
  authentication pre-share
  group 2
crypto isakmp key foobar-key address 0.0.0.0 0.0.0.0
crypto ipsec transform-set PROVIDER-SET esp-3des esp-sha-hmac
!
crypto ipsec profile PROVIDER-PROF
  set transform-set PROVIDER-SET


The tunnel part:

interface tunnel0
  description IPnIP tunnel thru comcast to PROVIDER
  ip address 192.168.254.3 255.255.255.252
  ip ospf mtu-ignore
  tunnel source x.x.x.25
  tunnel destination y.y.y.y
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile PROVIDER-PROF

The OSPF part:

router ospf 10101
  log-adjacency-changes
  redistribute connected subnets
  redistribute static subnets
  passive interface FastEthernet0/0
  passive interface FastEthernet0/0.1
  passive interface FastEthernet0/0.2
  network 128.1.0.0 0.0.255.255 area 0
  network 192.168.8.0 0.0.3.255 area 0
  network 192.168.254.0 0.0.0.3 area 0


The static route part:

ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.8.0 255.255.252.0 10.21.1.2
ip route 192.168.20.0 255.255.255.0 10.21.1.2
ip route y.y.y.y 255.255.255.255 x.x.x.26
! the last route is just to make sure the tunnel uses Comcast


_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to