ICMP_UNREACH_NEEDFRAG broken in -current

Brian Somers brian at Awfulhak.org
Mon Sep 27 04:23:27 PDT 2004 

On Mon, 27 Sep 2004 10:59:54 +0000 (UTC), "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net> wrote:
> On Mon, 27 Sep 2004, Brian Somers wrote:
> 
> > The outside network segment is an IPSEC configuration with gif interfaces
> ...
> > Comments/suggestions/flames?
> 
> most likely unrelated but I need input on this so ...
> why do you need gif(4) ?

With an ipsec-only solution, talking from a gateway box to an internal
host on the ``other'' network doesn't work nicely.... especially if the
internal host on the other network doesn't have a route for it.  In
my scenario, some 172.16.10.0/24 machines don't have a default route
and therefore can't reach 80.177.173.150.

Using gif results in traffic from the gatway box using the gateway boxes
internal IP number as the source rather than it's external IP number.
This allows a simple security policy:

172.16.10.212 $ cat /etc/ipsec.conf
spdadd 80.177.173.150/32 194.242.157.46/32 ip4 -P in ipsec esp/transport//require;
spdadd 194.242.157.46/32 80.177.173.150/32 ip4 -P out ipsec esp/transport//require;

172.16.0.1 $ ifconfig -a
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        ether 00:40:f4:b1:1c:85
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 80.177.173.150 --> 194.242.157.46
        inet 172.16.0.1 --> 172.16.10.212 netmask 0xffffffff 
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 80.177.173.150 --> 217.47.133.74 netmask 0xffffffff 
        Opened by PID 876

172.16.10.212 $ ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet 194.242.157.46 netmask 0xfffffff8 broadcast 194.242.157.47
        ether 00:03:ba:2d:d9:f0
        media: Ethernet autoselect (1000baseSX <full-duplex>)
        status: active
bge2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet 172.16.10.212 netmask 0xffffff00 broadcast 172.16.10.255
        ether 00:03:ba:2d:d9:f1
        media: Ethernet autoselect (1000baseSX <full-duplex>)
        status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 194.242.157.46 --> 80.177.173.150
        inet 172.16.10.212 --> 172.16.0.1 netmask 0xffffffff 

-- 
Brian <brian at Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !

More information about the freebsd-net mailing list