Subject: multi-cast OSPF over gif tunnel with IPSec
To: None <current-users@netbsd.org>
From: Andreas Wrede <andreas@planix.com>
List: current-users
Date: 05/14/2001 17:01:18
I have a gif tunnel configured between two NetBSD/i386 1.5.1_BETA
systems. Without IPSec transport mode configured for the underlying
real IP addresses, the gif tunnel with transport OSPF multicast
packets (ie. Zebra OSPF hello to 224.0.0.5) without problem.
If I configure IPSec between the real IP addresses of the tunnel, the
OSPF multicast packets never make it to the other side of the tunnel.
Normal packets (TCP, UDP, ICMP) work fine.
Some configuration details:
# system X
tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet x.x.x.x netmask 0xffffff80 broadcast 63.204.6.127
inet6 fe80::280:c8ff:feca:a909%tlp0 prefixlen 64 scopeid 0x1
gif7: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
tunnel inet x.x.x.x --> y.y.y.y
inet 10.0.0.5 -> 10.0.0.6 netmask 0xfffffffc
inet6 fe80::280:c8ff:feca:a909%gif7 -> :: prefixlen 64 scopeid 0x15
- ipsec.conf-
add x.x.x.x y.y.y.y esp 2001 -E des-cbc "9f341327";
add y.y.y.y x.x.x.x esp 1002 -E des-cbc "9f341327";
spdadd x.x.x.x y.y.y.y any -P out ipsec esp/transport//require;
# system Y
tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet y.y.y.y netmask 0xfffffff0 broadcast y.y.y.n
inet6 fe80::280:c8ff:fe90:c469%tlp0 prefixlen 64 scopeid 0x1
gif7: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
tunnel inet y.y.y.y --> x.x.x.x
inet 10.0.0.6 -> 10.0.0.5 netmask 0xfffffffc
inet6 fe80::280:c8ff:fe90:c469%gif7 -> :: prefixlen 64 scopeid 0x15
- ipsec.conf-
add y.y.y.y x.x.x.x esp 1002 -E des-cbc "9f341327";
add x.x.x.x y.y.y.y esp 2001 -E des-cbc "9f341327";
spdadd y.y.y.y x.x.x.x any -P out ipsec esp/transport//require;
Does anyone have an idea why IPSec would interfere with multicast OSPF
packets?
--
- aew