current-users: Re: Questions about VPN with IPsec

Subject: Re: Questions about VPN with IPsec
To: Allen D. Ball <ball@iprotium.com>
From: Bill Studenmund <wrstuden@zembu.com>
List: current-users
Date: 07/31/2001 10:47:20
On Fri, 27 Jul 2001, Allen D. Ball wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I have previously posted these questions to netbsd-users but got no
> response.
>  Even though I am running 1.5.1, I hope I might get some help here.
>
> I have set up a configuration similar to the one described at
> http://www.netbsd.org/Documentation/network/ipsec/#sample_vpn.  The link
> comes up and I can run TCP between the two machines.  However, I am still
> having trouble seeing the remote machines on the local network and vice
> versa.  I am running 1.5.1 and I am using gif(4) as the endpoints of my
> tunnel.  I am also running routed(8) on each of the machines.  I did not
> assign IPv6 addresses to the gif(4) interfaces nor the physical NICs.  The
> two address clouds are -net 10.1.0.0/16 and -net 10.254.0.0/16 and the
> endpoints of the tunnel are 10.0.0.1 and 10.0.0.254, respectively.

Why are the endpoints not public internet addresses?

> My questions are:
>
> Do I need to do any IPv6 configuration to make this work?

No.

> Is gif(4) the right hammer for this nail?
>
> The sited web page says to set up the routes in advance.  Does this mean in
> advance of setkey being executed in the /etc/rc.d/ipsec script?  Or in
> advance of ifconfig gif0?  Or in advance of using the link?  I have
> attempted
> to set up the routes in the /etc/ifconfig.gif0 script before and after
> running ifconfig, but the route command to provide the route from the remote
> NIC to the remote cloud fails.  (However, I can run it manually *after*
> booting and *after* the link has come up, and the route is installed, but I
> still can't get to the remote machines.)  Is there a proper incantation of
> the route command that will let me set it up in /etc/ifconfig.gif0?
>
> There is a third box doing NAT in front of one of the machines, but it is a
> straight redirect of one of our internet CIDR block address to its
> corresponding internal address (and I addressed this in setting up the
> SPDs).
> Because I can bring the link up, I don't think this is coming into play but
> I mention it in the interest of full disclosure.

Ahhh, that's why you are using internal addresses.

Here's the setup I'm using (the numbers have been tweaked a little):

I have one firewal box running both IPSec and NAT. I have an internal
address space on the local wire, 172.18.0.16/28. The border box is
172.18.0.17. I also have a gif interface set up tunneling the external IP
to the external IP of the gateway at work. It's config is:
	tunnel inet <my external> --> <work's external>
	inet  172.18.0.17 --> 172.17.255.1 netmask 0xfffffff0

I have IPSec configured between my external IP and work's external IP, and
it's set for require ESP.

I'm using manual routes. There's a route for 172.18.0.16/28 to the
internal ethernet, and a route for 172.17.255.1 pointing to the gif, and a
route for 172.16/12 pointing at 172.17.255.1.

The machines inside have routes for 172.18.0.16/28 for the ethernet, and
routes for 172.16/12 pointing to 172.18.0.17.

Works fine.

Take care,

Bill