ICMP Error transmission/response over IPSec tunnels

Julian Elischer julian at elischer.org
Wed May 28 00:21:43 UTC 2008 

Bjoern A. Zeeb wrote:
> On Tue, 27 May 2008, Tom Judge wrote:
> 
>> Bjoern A. Zeeb wrote:
>>> On Tue, 27 May 2008, Tom Judge wrote:
>>>
>>> Hi,
>>>
>>>> Yes we do indeed see a reply from node b.  It is good to here that 
>>>> this is a known issue.
>>>>
>>>> The IPSec configuration is a gif ipip tunnel that is then encrypted 
>>>> with IPSec using esp in tunnel mode as per the ipsec vpn section in 
>>>> the handbook.
>>>
>>> 1) if you do not need the ipip tunnel because you need an interface
>>> and "link state changes" only go with the IPsec tunnel mode.
>>>
>>> 2) If you need the gi tunnel on top and routing, use IPsec transport
>>> mode.
>>>
>>> (ignore the handbook, try to understand it;)
>>
>> I have 13 nodes in a parital mesh running ospf for routing.  It would 
>> not be trivial for me to switch from tunnel to transport mode.  Also I 
>> have not tested quagga in when the ipsec is in transport mode, and I 
>> guess I do need interfaces to use with quagga.  I may test fixing this 
>> additional overhead, but as they say if it's not broken don't fix it.
> 
> Ok. So basically you have 12 gif tunnels on each node, if it would be
> a full mesh. So it's less.
> 
> So a) you have two endpoints for the gif tunnel which are your Router
> A, Router B endpoint. So the only thing you would need to secure is
> your IPIP (gif) tunnel between two nodes (Router A, B). This is what
> transport mode is for.
> 
> Running a traceroute, the IP stack would need to send the icmp ttl
> exceeded packet back via the gif tunnel which then would have to be
> encrypted.
> 
> To my memory the problem is that this does not work.
> 
> You could try to find out at which layer by running tcpdump on the
> (external) interface and the gif interfaces and if you have enc0 to
> see if/where the icmp possibly shows up.

I did this by running ng_iface into ng_ksocket(UDP) and
using transport mode for all the UDP packets

I had scripts to do it all, but unfortunately it was at
a previous company.

I allocated a number to each site from 1 to 8 and the endpoints
inside the tunnels were 10.42.ME.YOU  10.42.YOU.ME.

The scripts were identical on each machine, and to add a new machine
I just added it to the list in the script, distributed the new
script, and ran it again on each machine..





> 
> /bz
>

More information about the freebsd-net mailing list