current-users: Re: setkey and 0.0.0.0/0

Subject: Re: setkey and 0.0.0.0/0
To: Martti Kuparinen <martti.kuparinen@iki.fi>
From: Jochen Kunz <jkunz@unixag-kl.fh-kl.de>
List: current-users
Date: 12/22/2004 00:36:03

On Tue, 21 Dec 2004 20:28:30 +0200 (EET)
Martti Kuparinen <martti.kuparinen@iki.fi> wrote:

> Hi!
>=20
> I'm debating with someone about setkey's spdadd syntax. Here's an
> example:
>=20
> spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec
>    esp/tunnel/10.0.0.10-10.0.0.1/require;
>=20
> Which one is true:
>=20
> 1) 0.0.0.0/0 is "any of my local addresses"
> 2) 0.0.0.0/0 is "any address, local or foreign"
>=20
> I'd say #2 so I read the above rule as "outgoing traffic from anyone
> in the 10.0.0.0/24 network to any destination must be tunneled and
> outer header's src=3D10.0.0.10 and dst=3D10.0.0.1".
>=20
> I also read it that 10.0.0.10 is my address and 10.0.0.1 is the
> security gateway's address.
>=20
> Am I right or wrong?
You are right. The above may not work as the tunnel endpoints are in the
same subnet as the source address range. This may confuse the IPsec
code. (Or the user of it. ;-) ) But I am no IPsec expert.

I use this:

spdadd 192.168.1.0/24 192.168.1.0/24 any -P in none;
spdadd 192.168.1.0/24 192.168.1.0/24 any -P out none;=20

spdadd 192.168.100.0/24  192.168.100.0/24 any -P out ipsec
        esp/transport//require;
spdadd 192.168.100.0/24  192.168.100.0/24 any -P in ipsec
        esp/transport//require;

spdadd 0.0.0.0/0 192.168.1.0/24 any -P in ipsec
        esp/tunnel/192.168.100.254-192.168.100.253/require;
spdadd 192.168.1.0/24 0.0.0.0/0 any -P out ipsec
        esp/tunnel/192.168.100.253-192.168.100.254/require;

192.168.1.0/24 is the LAN with all my machines. It is connected to a
router 192.168.1.254 with a second interface 192.168.100.253.
192.168.100.0/24 is a special subnet only for transporting non-local
trafic to the DSL router (192.168.100.254) by WLAN.

Note that you need the first two rules. 0.0.0.0/0 means everything,
including 192.168.1.0/24. Obviously. So if you omit the first two rules
the machine wants to tunnel every packet, even those from the local
Ethernet that don't have to be tunneld. Yes I have learned this the hard
way. ;-)
--=20


tsch=FC=DF,
       Jochen

Homepage: http://www.unixag-kl.fh-kl.de/~jkunz/