vpn trouble

Eric W. Bates ericx at ericx.net
Wed Jun 23 23:19:16 UTC 2010 

On 6/22/2010 3:55 PM, ralf at dzie-ciuch.pl wrote:
>>
>> I managed to do an IP in IP tunnel with IPsec encryption between a
>> FreeBSD and a cisco router running 12.1(mumble) several years ago.
>>
>> It is a desirable option if you want to use routing (e.g. ospf). You
>> can't route an IPSec tunnel (actually, is this now possible with enc0
>> interfaces?) but you can route to the gif interfaces.
>>
>
> Can you tell me how to use route command to use it like above?

I have to admit that I no longer have access to that client's machines. 
However, I can describe in broad strokes.

In our case the need was to provide a backup route for a dedicated T1. 
Occasionally the T1 would fail; so we wanted an alternate route thru the 
internet. The internet path had to be encrypted; but it was much slower; 
so we wanted the T1 to have priority. The router terminating the T1 was 
separate from the router providing general internet access.

This was between a hospital and a service provider. A lot of this could 
be simplified except that the vendor HAD to provide the server, the 
circuit, and the router (those of you who support banks or hospitals 
know what I'm talking about.)

There is already a static route in place for the provider via the T1 
router. We first built a simple IPencap tunnel between our FreeBSD box 
and their cisco. The FreeBSD side used a gif and the cisco side used a 
tunnel interface. We confirmed that we could ping end-points.

Then we added the ospf to the mix in order to detect when the T1 
dropped. We weighted the ospf so that the T1 was prioritized.

Once that was working we added the IPSec as transport between the 
endpoints of the IpinIP tunnel rather than encapsulation.

That was the only time I've built an IPSec tunnel with that method. 
Folks with better understanding than I can perhaps explain the pros and 
cons. In our case, it was a simple expedient to support ospf. I have 
noticed since then that OS X's GUI only supports this method of IPSec 
tunneling; so I'm going to have to do it again to support some other 
customers.

Some parts on the cisco side might appear thusly (I'm doing this from 
memory so ymmv):

interface FastEthernet0.2
   description VLAN 500 to Comcast router
   encapsulation dot1Q 500
   ip address x.x.x.x 255.255.255.252


The encryption part:

crypto isakmp policy 10
   encr 3des
   hash sha1
   authentication pre-share
   group 2
crypto isakmp key foobar-key address 0.0.0.0 0.0.0.0
crypto ipsec transform-set PROVIDER-SET esp-3des esp-sha-hmac
!
crypto ipsec profile PROVIDER-PROF
   set transform-set PROVIDER-SET


The tunnel part:

interface tunnel0
   description IPnIP tunnel thru comcast to PROVIDER
   ip address 192.168.254.3 255.255.255.252
   ip ospf mtu-ignore
   tunnel source x.x.x.25
   tunnel destination y.y.y.y
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile PROVIDER-PROF

The OSPF part:

router ospf 10101
   log-adjacency-changes
   redistribute connected subnets
   redistribute static subnets
   passive interface FastEthernet0/0
   passive interface FastEthernet0/0.1
   passive interface FastEthernet0/0.2
   network 128.1.0.0 0.0.255.255 area 0
   network 192.168.8.0 0.0.3.255 area 0
   network 192.168.254.0 0.0.0.3 area 0


The static route part:

ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.8.0 255.255.252.0 10.21.1.2
ip route 192.168.20.0 255.255.255.0 10.21.1.2
ip route y.y.y.y 255.255.255.255 x.x.x.26
! the last route is just to make sure the tunnel uses Comcast

More information about the freebsd-net mailing list