misc/77299: Syntax Errors in commands for IPSEC in Handbook

Loren M. Lang lorenl at alzatex.com
Wed Feb 9 02:20:15 PST 2005 

>Number:         77299
>Category:       misc
>Synopsis:       Syntax Errors in commands for IPSEC in Handbook
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 09 10:20:14 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Loren M. Lang
>Release:        FreeBSD 5.3-p5
>Organization:
Alzatex, Inc.
>Environment:
FreeBSD bsd 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #1: Fri Jan 28 06:53:12 PST 2005     root at bsd:/usr/obj/usr/src/sys/IPSEC  i386
>Description:
      In the VPN over IPSEC section of the FreeBSD Handbook, there are a couple of errors in the configuration.  First, the route command he uses is "route add 192.168.2.0 192.168.2.1 netmask 0xffffff00"  The work netmask does not belong in there, it should be "route add 192.168.2.0 192.168.2.1 0xffffff00"  The error is repeated in the summary of the first part which the line 'route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"'  Again, the word netmask should be removed.  Also, in configuring the IPSEC rules he uses the following lines:

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;

This is incorrect as he is already tunneling the data through gif0, he creates a tunnel inside of a tunnel.  This can be confirmed by changing the protocol from esp to ah and sniffing the network as traffic is crossing.  You will see two identical tunnels inside one-another.  The correct fix is to either not use the gif interface or change the lines above to:

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/transport//require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/transport//require;

Also, in setting up the gif tunnel, he mentions that FreeBSD 5.x has the command gifconfig merged into ifconfig, but does not offer an example.  I think it would be helpful to show the correct command which would be:

ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff tunnel W.X.Y.Z A.B.C.D

And, of course swapped for the second router.  Lastly, he didn't talk about how to use ah in combination with esp.  An example like:

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/transport//require ah/transport//require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/transport//require ah/transport//require;

Which will wrap the tunnel inside esp inside ah inside the outer ip protocol would probably be a good example to put in.  I am also interested in using ipcomp as well, but I have yet to figure out how to set it up correctly, maybe a quick demo of that would be nice.
>How-To-Repeat:
      
>Fix:
      Remove the word netmask on all lines pertaining to the route command.

Don't use a gif tunnel for ipsec or change the ipsec.conf file to read:

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/transport//require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/transport//require;

Offer ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff tunnel W.X.Y.Z A.B.C.D as an example for FreeBSD 5.x

Offer the following configuration for people trying to use esp inside of ah: 

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/transport//require ah/transport//require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/transport//require ah/transport//require;

Add a short example on setting up ipcomp.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list