Subject: IPSec question - regarding esp/tunnel mode.
To: None <tech-net@netbsd.org>
From: J. Buck Caldwell <buckaroo@liveround.com>
List: tech-net
Date: 07/11/2003 11:46:58
I'm setting up a large IPSec VPN WAN using NetBSD-1.6.1. After playing
around quite a bit, I think I've got it working well, but I'm wondering
about a few things.
Consider this network: Corporate, with SDSL Internet providing a real
IP4 address to interface ex0, NAT 192.168/16 behind ex1. Cisco router at
192.168.0.250 routing Frame Relay out to 20 different branches, each
with their own 192.168.x/24.
To replace this, we are giving several of the branches (but not all) a
broadband (mostly Cable) connection, and a NetBSD box to do NAT, DHCP,
DNS, and VPN. Each branch will retain their existing 192.168.x/24
private network. Each branch will have a IPSec tunnel to each other
branch that has a broadband connection, all traffic for those left on
frame will go to 192.168.0.1 (Corporate's gateway).
First of all, I did a bad thing - I assumed that traffic would only be
encrypted over the tunnel - and I ended up with encrypted traffic not
being decrypted because it's destination address was outside of the
192.168.0/24. So, lots of additional spdadd's later, I've got it all
working. Now I'm looking to make it effecient.
Given Branch #1 (192.168.1/24) having a public IP of 30.30.30.1, and
Corporate (192.168.0/24) having a public IP of 20.20.20.1), and Branch
#2 (192.168.3/24) having public 40.40.40.1:
Can I have a rule on the Corporate side that says:
spdadd 192.168.0.0/16 192.168.1.0/24 any -P out ipsec
esp/tunnel/20.20.20.1-30.30.30.1/require;
spdadd 192.168.1.0/24 192.168.0.0/16 any -P in ipsec
esp/tunnel/30.30.30.1-20.20.20.1/require;
spdadd 192.168.0.0/16 192.168.2.0/24 any -P out ipsec
esp/tunnel/20.20.20.1-40.40.40.1/require;
spdadd 192.168.2.0/24 192.168.0.0/16 any -P in ipsec
esp/tunnel/40.40.40.1-20.20.20.1/require;
Note the different netmasks - I want to be able to send traffic
encrypted from 192.168.1.1 (router) to 192.168.0.1, who decrypts it,
then forwards it on to 192.168.0.250 to be routed to, say, 192.168.3.1,
still on the Frame Relay.
Continuing:
On the Branch #1:
spdadd 192.168.1.0/24 192.168.0.0/16 any -P out ipsec
esp/tunnel/30.30.30.1-20.20.20.1/require;
spdadd 192.168.0.0/16 192.168.1.0/24 any -P in ipsec
esp/tunnel/20.20.20.1-30.30.30.1/require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/30.30.30.1-40.40.40.1/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/40.40.40.1-30.30.30.1/require;
Note the first pair of rules have a /16 - In other words, I want any
traffic that doesn't have a direct tunnel built to go to 20.20.20.1 for
processing, but still have those that have better-fitting netmasks to go
direct.
So, how far off am I? Please CC: replies, as I am off-list.