![]() |
|
Guides All Guides and HOWTO's. |
![]() |
|
Thread Tools | Display Modes |
|
||||
![]()
The BSDs each have gif(4), a driver that provides a general purpose tunnel interface. You can add them whenever you want to encapsulate IP packets, and tunnel packets inside an outer IP packet. The man pages don't tell you what these are for, or why you would want to use them.
I find gif(4) tunnels helpful whenever I have a complex protocol that is difficult to define in firewall rules or in IPSec flow descriptions. It adds an extra IP header to my data packet, but that tradeoff is usually worth it to provide simple management solutions for what might otherwise be complex or unsolvable problems. One example is NFS Version 3. It uses Remote Procedure Call programs and dynamic UDP or TCP port numbers, and the port numbers can be unpredictable. What if I wished to encrypt the NFS traffic between client an server, and only the NFS traffic? Or set up a firewall so that only NFS traffic was passed, but not other traffic? Without knowing the dynamic port numbers that will be used, that can be difficult. Using gif(4), I don't need to know the port numbers. I don't even need to know if the traffic will use TCP or UDP. Instead, I just need to define tunneled, virtual IP addresses and direct all the NFS traffic to them. Then, I write my rules by gif(4) interface or virtual IP address. For example, I have this gif(4) interface defined on this workstation I'm typing on: /etc/hostname.gif0 Code:
tunnel 10.0.1.130 10.0.1.253 !ifconfig gif0 10.0.3.2 10.0.3.1 netmask 255.255.255.0 Code:
gif0: flags=28051<UP,POINTOPOINT,RUNNING,MULTICAST,NOINET6> mtu 1280 priority: 0 groups: gif tunnel: inet 10.0.1.130 -> 10.0.1.253 inet 10.0.3.2 --> 10.0.3.1 netmask 0xffffff00 The server I am using has a gif(4) configured the same way, but with reversed addresses: Code:
gif0: flags=28051<UP,POINTOPOINT,RUNNING,MULTICAST,NOINET6> mtu 1280 priority: 0 groups: gif tunnel: inet 10.0.1.253 -> 10.0.1.130 inet 10.0.3.1 --> 10.0.3.2 netmask 0xffffff00 Code:
/var /var/mail 10.0.3.2 Code:
ikev2 esp \ from 10.0.3.1 to 10.0.3.2 srcid fw2.jggimi.homeip.net dstid netbook.jggimi.homeip.net Code:
# # allow IPSec under a gif0 tunnel (used for NFS with netbook) # # 1. permit the gif0 traffic to be embedded on $internal_nic: pass log on $internal_nic proto ipencap # 2. permit IKE traffic on UDP port 500 (NAT-Traversal is not used): pass log on gif0 proto udp from any port 500 to any port 500 # 3. permit IPSec on gif0: pass log on gif0 proto esp Code:
$ sudo mount fw2-gif:/var/mail /fw2 $ xbiff -file /fw2/jggimi -geometry -4-4 & Last edited by jggimi; 3rd November 2014 at 08:50 PM. Reason: clarity, typos, and a thinko |
|
|||
![]()
Not really a question, but for completeness, perhaps someone uses the equivalent IPFW rules?
__________________
FreeBSD 13-STABLE |
|
||||
![]()
I have never used IPFW, and do not operate FreeBSD, so this example ruleset may not be correct. To craft these three lines, I spent two minutes with the ipfw(8) man page and one additional minute with Chapter 30.4 of the FreeBSD Handbook.
As with any help you get from random people on the Internet, please use with caution. Code:
ipfw add allow ipencap from any to any via <your internal NIC> ipfw add allow udp from any 500 to any 500 via gif0 ipfw add allow esp from any to any via gif0 Last edited by jggimi; 10th December 2014 at 04:34 PM. Reason: clarity |
|
|||
![]()
jggimi, would it be possible to see what entries you've put in your resolver? I'm quite new with this so sorry if this question seems stupid, but is it normal, once everything is set up (except for the resolver) that you can't ping the virtual IP of the other machine? So basically, if you're on the 10.0.3.2 machine, is it normal that you can't ping 10.0.3.2 (100% packet loss)?
|
|
||||
![]()
Name resolution has nothing to do with 100% packet loss. More likely, there's a block rule in PF preventing ICMP packets from passing. But even if it's something else, the tcpdump(8) program can help you determine a root cause.
|
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
Some help with IPSEC / VPN | Daffy | OpenBSD Security | 1 | 9th November 2013 12:45 PM |
pkgin accident...any known solutions? | enoch82 | Other BSD and UNIX/UNIX-like | 1 | 28th April 2013 02:32 PM |
IPSec VPN configuration? | polken | OpenBSD Security | 8 | 29th May 2012 08:48 PM |
Need Help Please About IPsec | wong_baru | FreeBSD Security | 2 | 21st June 2010 08:00 AM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |