tech-net: Re: IPSec question - regarding esp/tunnel mode.

Subject: Re: IPSec question - regarding esp/tunnel mode.
To: J. Buck Caldwell <buckaroo@liveround.com>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-net
Date: 07/13/2003 12:14:01
On Sun, 13 Jul 2003, J. Buck Caldwell wrote:

> That is EXACTLY what I was looking for. Thanks so much! See notes below...

Cool!

> Bill Studenmund wrote:
>
> >On Fri, 11 Jul 2003, J. Buck Caldwell wrote:
> >
> >
> >>Can I have a rule on the Corporate side that says:
> >>spdadd 192.168.0.0/16 192.168.1.0/24 any -P out ipsec
> >>esp/tunnel/20.20.20.1-30.30.30.1/require;
> >>spdadd 192.168.1.0/24 192.168.0.0/16 any -P in ipsec
> >>esp/tunnel/30.30.30.1-20.20.20.1/require;
> >>spdadd 192.168.0.0/16 192.168.2.0/24 any -P out ipsec
> >>esp/tunnel/20.20.20.1-40.40.40.1/require;
> >>spdadd 192.168.2.0/24 192.168.0.0/16 any -P in ipsec
> >>esp/tunnel/40.40.40.1-20.20.20.1/require;
> >>
> >>
> >
> >I think you'll have a saner and happier time if you don't use tunnel mode.
> >
> I'm beginning to understand that.
>
> >>Note the different netmasks - I want to be able to send traffic
> >>encrypted from 192.168.1.1 (router) to 192.168.0.1, who decrypts it,
> >>then forwards it on to 192.168.0.250 to be routed to, say, 192.168.3.1,
> >>still on the Frame Relay.
> >>Continuing:
> >>
> >>On the Branch #1:
> >>spdadd 192.168.1.0/24 192.168.0.0/16 any -P out ipsec
> >>esp/tunnel/30.30.30.1-20.20.20.1/require;
> >>spdadd 192.168.0.0/16 192.168.1.0/24 any -P in ipsec
> >>esp/tunnel/20.20.20.1-30.30.30.1/require;
> >>spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
> >>esp/tunnel/30.30.30.1-40.40.40.1/require;
> >>spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
> >>esp/tunnel/40.40.40.1-30.30.30.1/require;
> >>

[snip]

> >Since a VPN is a private internet, what I'll describe is a way to let you
> >have all of the features of internet failover within this small internet.
> >
> >
> >
> >Set up transport mode connections amongst all the branches, where you have
> >tunnel mode connections now. This way _any_ traffic between them is
> >private.
> >
> >As a concrete example (for the branch 1, I added branch #3 at 50.50.50.1):
> >
> >spdadd 30.30.30.1-20.20.20.1 any -P out ipsec esp/transport//require
> >spdadd 20.20.20.1-30.30.30.1 any -P in  ipsec esp/transport//require
> >spdadd 30.30.30.1-40.40.40.1 any -P out ipsec esp/transport//require
> >spdadd 40.40.40.1-30.30.30.1 any -P in  ipsec esp/transport//require
> >spdadd 30.30.30.1-50.50.50.1 any -P out ipsec esp/transport//require
> >spdadd 50.50.50.1-30.30.30.1 any -P in  ipsec eps/transport//require
> >
> >
> So this means that any traffic coming from 30.30.30.1 to 20.20.20.1
> (etc) will be encrypted, and it doesn't pay attention to the
> already-translated address, right?

Exactly!

So _any_ branch's traffic can come over that pipe. From what I gather,
that matches your trust model.

One interesting thing about the technique I'm suggesting is that you'll
get packets that look the same as ESP/tunnel packets. The big difference
is the policy difference above.

> >Now, to do the VN part, use the gif interface. I'm assuming the routers
> >are at .1 on the local nets. Here's what'd be in the ifconfig files:
> >
> >ifconfig.gif0
> >create				#automatically create the interface
> >inet tunnel 30.30.30.1 20.20.20.1
> >inet 192.168.1.1 192.168.0.1
> >
> >ifconfig.gif1
> >create
> >inet tunnel 30.30.30.1 40.40.40.1
> >inet 192.168.1.1 192.168.2.1
> >
> >ifconfig.gif2
> >create
> >inet tunnel 30.30.30.1 50.50.50.1
> >inet 192.168.1.1 192.168.3.1
> >
> >Your network, of course, would have more entries than that.
> >
> >
> >You now have interfaces: ex0 (local routed IP, 30.30.30.1), ex1 (local
> >192.168.1.0/24), gif0, gif1, and gif2. You want to run a routing daemon on
> >interfaces ex1, gif0, gif1, and gif2. I think we used routed, but I'm not
> >100% sure. You do NOT want the routing daemon to talk on interface ex0, as
> >that will either confuse it, and/or confuse your ISP.
> >
> >If you don't want to run a routing daemon, you can just set up routes
> >manually for now. "route add -net 192.168.0.0 192.168.0.1 -netmask
> >255.255.0.0" "route add -net 192.168.2.0 192.168.2.1 -netmask 255.255.255.0"
> >and so on.
> >
> >
> Yea, I'm already using GIF tunnels for the routing - IPSec tunnels don't
> seem very routeable.

Yes. But that's a property of what they are; all traffic from net X is
exchanged with a certain other router (other end of tunnel), so your
routing is fixed. :-)

> Last question - by default, does this include pre-compression on the
> IPSec packets, or do I need additional lines in the ipsec.conf to turn
> that on?

No, that'd be a separate step. I've never actually enabled compression..

> Thanks again so much!

No problem.

Take care,

Bill