gre tunnel & ipsec transport mode
Eric Masson
e-masson at kisoft-services.com
Tue Dec 16 14:56:28 PST 2003
Hello,
I'm experimenting dynamic routing protocols in a vpn setup. Ipsec tunnel
mode is not applicable here as selectors do not appear in system routing
table.
So I've tried to use gre tunnels beetween lans and then protect them by
ipsec transport mode beetween gateways.
It seems that gre pseudo interfaces & ipsec stack don't interact very
well in this setup (4.8-RELEASE-p14 boxes).
I've set the following test case :
192.168.197.* --- Router A --- gre tunnel--- Router B --- 10.168.18.*
\ /
+--------Internet-------+
Gre tunnels setup :
Each router has a gre tunnel to its peer and the associated network
route.
Traffic from 192.168.197/24 hosts to 10.168.18/24 hosts flows fine,
tcpdump reports gre packets beetween the two routers.
Ipsec transport mode setup :
Each router has a outgoing & incoming transport ipsec policies (ah+esp)
to its peer for any protocol.
Isakmpd (racoon) is active.
Direct connection from one router to the other (ssh, telnet...) sees
ipsec SP applied and works fine.
Mixing the two setups :
Ipsec transformed gre packets leave originating box to the other tunnel
endpoint (tcpdump reports ah+esp packets flowing outside).
On destination box, tcpdump shows incoming ipsec gre transformed
packets, but these packets don't make their way to internal interface,
and are silently dropped (no log anywhere)
I've tried to look at /sys/net/ip_input.c, /sys/net/in_gif.c &
/sys/net/ip_gre.c to understand the case, as gif tunnels get
encapsulated correctly, but no immediate fix came to my mind but I must
say I'm no C guru nor kernel hacker :/
Has anyone any idea or fix on this case ?
TIA
Regards
Eric Masson
--
je pense pas que ce soit toi....tu es bien trop vicieux pour agir de
cette façon. Toi ton genre, c'est plus de contacter banque direct en
esperant que je n'auras pas mes cadeaux de parrainages!!!!!
-+- JD in <http://www.le-gnu.net> : Petit neuneu Noël -+-
More information about the freebsd-net
mailing list