tech-net: IPSec question - regarding esp/tunnel mode.

Subject: IPSec question - regarding esp/tunnel mode.
To: None <tech-net@netbsd.org>
From: J. Buck Caldwell <buckaroo@liveround.com>
List: tech-net
Date: 07/11/2003 11:46:58
I'm setting up a large IPSec VPN WAN using NetBSD-1.6.1. After playing 
around quite a bit, I think I've got it working well, but I'm wondering 
about a few things.

Consider this network: Corporate, with SDSL Internet providing a real 
IP4 address to interface ex0, NAT 192.168/16 behind ex1. Cisco router at 
192.168.0.250 routing Frame Relay out to 20 different branches, each 
with their own 192.168.x/24.

To replace this, we are giving several of the branches (but not all) a 
broadband (mostly Cable) connection, and a NetBSD box to do NAT, DHCP, 
DNS, and VPN. Each branch will retain their existing 192.168.x/24 
private network. Each branch will have a IPSec tunnel to each other 
branch that has a broadband connection, all traffic for those left on 
frame will go to 192.168.0.1 (Corporate's gateway).

First of all, I did a bad thing - I assumed that traffic would only be 
encrypted over the tunnel - and I ended up with encrypted traffic not 
being decrypted because it's destination address was outside of the 
192.168.0/24. So, lots of additional spdadd's later, I've got it all 
working. Now I'm looking to make it effecient.

Given Branch #1 (192.168.1/24) having a public IP of 30.30.30.1, and 
Corporate (192.168.0/24) having a public IP of 20.20.20.1), and Branch 
#2 (192.168.3/24) having public 40.40.40.1:

Can I have a rule on the Corporate side that says:
spdadd 192.168.0.0/16 192.168.1.0/24 any -P out ipsec 
esp/tunnel/20.20.20.1-30.30.30.1/require;
spdadd 192.168.1.0/24 192.168.0.0/16 any -P in ipsec 
esp/tunnel/30.30.30.1-20.20.20.1/require;
spdadd 192.168.0.0/16 192.168.2.0/24 any -P out ipsec 
esp/tunnel/20.20.20.1-40.40.40.1/require;
spdadd 192.168.2.0/24 192.168.0.0/16 any -P in ipsec 
esp/tunnel/40.40.40.1-20.20.20.1/require;

Note the different netmasks - I want to be able to send traffic 
encrypted from 192.168.1.1 (router) to 192.168.0.1, who decrypts it, 
then forwards it on to 192.168.0.250 to be routed to, say, 192.168.3.1, 
still on the Frame Relay.
Continuing:

On the Branch #1:
spdadd 192.168.1.0/24 192.168.0.0/16 any -P out ipsec 
esp/tunnel/30.30.30.1-20.20.20.1/require;
spdadd 192.168.0.0/16 192.168.1.0/24 any -P in ipsec 
esp/tunnel/20.20.20.1-30.30.30.1/require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec 
esp/tunnel/30.30.30.1-40.40.40.1/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec 
esp/tunnel/40.40.40.1-30.30.30.1/require;

Note the first pair of rules have a /16 - In other words, I want any 
traffic that doesn't have a direct tunnel built to go to 20.20.20.1 for 
processing, but still have those that have better-fitting netmasks to go 
direct.

So, how far off am I? Please CC: replies, as I am off-list.