On 6/22/2010 3:55 PM, r...@dzie-ciuch.pl wrote:
I managed to do an IP in IP tunnel with IPsec encryption between a
FreeBSD and a cisco router running 12.1(mumble) several years ago.
It is a desirable option if you want to use routing (e.g. ospf). You
can't route an IPSec tunnel (actually, is this now possible with enc0
interfaces?) but you can route to the gif interfaces.
Can you tell me how to use route command to use it like above?
I have to admit that I no longer have access to that client's machines.
However, I can describe in broad strokes.
In our case the need was to provide a backup route for a dedicated T1.
Occasionally the T1 would fail; so we wanted an alternate route thru the
internet. The internet path had to be encrypted; but it was much slower;
so we wanted the T1 to have priority. The router terminating the T1 was
separate from the router providing general internet access.
This was between a hospital and a service provider. A lot of this could
be simplified except that the vendor HAD to provide the server, the
circuit, and the router (those of you who support banks or hospitals
know what I'm talking about.)
There is already a static route in place for the provider via the T1
router. We first built a simple IPencap tunnel between our FreeBSD box
and their cisco. The FreeBSD side used a gif and the cisco side used a
tunnel interface. We confirmed that we could ping end-points.
Then we added the ospf to the mix in order to detect when the T1
dropped. We weighted the ospf so that the T1 was prioritized.
Once that was working we added the IPSec as transport between the
endpoints of the IpinIP tunnel rather than encapsulation.
That was the only time I've built an IPSec tunnel with that method.
Folks with better understanding than I can perhaps explain the pros and
cons. In our case, it was a simple expedient to support ospf. I have
noticed since then that OS X's GUI only supports this method of IPSec
tunneling; so I'm going to have to do it again to support some other
customers.
Some parts on the cisco side might appear thusly (I'm doing this from
memory so ymmv):
interface FastEthernet0.2
description VLAN 500 to Comcast router
encapsulation dot1Q 500
ip address x.x.x.x 255.255.255.252
The encryption part:
crypto isakmp policy 10
encr 3des
hash sha1
authentication pre-share
group 2
crypto isakmp key foobar-key address 0.0.0.0 0.0.0.0
crypto ipsec transform-set PROVIDER-SET esp-3des esp-sha-hmac
!
crypto ipsec profile PROVIDER-PROF
set transform-set PROVIDER-SET
The tunnel part:
interface tunnel0
description IPnIP tunnel thru comcast to PROVIDER
ip address 192.168.254.3 255.255.255.252
ip ospf mtu-ignore
tunnel source x.x.x.25
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROVIDER-PROF
The OSPF part:
router ospf 10101
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
passive interface FastEthernet0/0
passive interface FastEthernet0/0.1
passive interface FastEthernet0/0.2
network 128.1.0.0 0.0.255.255 area 0
network 192.168.8.0 0.0.3.255 area 0
network 192.168.254.0 0.0.0.3 area 0
The static route part:
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.8.0 255.255.252.0 10.21.1.2
ip route 192.168.20.0 255.255.255.0 10.21.1.2
ip route y.y.y.y 255.255.255.255 x.x.x.26
! the last route is just to make sure the tunnel uses Comcast
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
