Re: [Users] FreeSWAN + Novell NDS

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Sun Oct 06 2002 - 06:30:07 CEST

• Next message: Boris Popov: "[Users] Tunnel disconnects after few min. Please help."
• Previous message: John A. Sullivan III: "Re: [Users] Need configuration help"
• In reply to: Igmar Palsenberg: "[Users] FreeSWAN + Novell NDS"
• Next in thread: Igmar Palsenberg: "Re: [Users] FreeSWAN + Novell NDS"
• Reply: Igmar Palsenberg: "Re: [Users] FreeSWAN + Novell NDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sat, 5 Oct 2002, Igmar Palsenberg wrote:

>
> Hi,
>
> Anyone any experience with Novell 5.x NDS over a IPSEC connection ??
>
> I see :
>
> 14:55:29.475235 10.0.10.97.svrloc > 224.0.1.22.svrloc: udp 44
> 14:55:30.505686 10.0.10.97.svrloc > 224.0.1.22.svrloc: udp 44
> 14:55:31.598444 10.0.10.97.svrloc > 224.0.1.22.svrloc: udp 44
> 14:55:33.801288 10.0.10.97.svrloc > 224.0.1.22.svrloc: udp 44
> 14:55:38.195652 10.0.10.97.svrloc > 224.0.1.22.svrloc: udp 44
>
> flying over the ipsec0 interface, but it doesn't show up on the local
> network. I do see TCP, UDP and ICMP going over both the ipsec and eth
> interface.
>
> So it looks like the kernel sends those multicast stuff to /dev/null :(
>
> Clues are welcome, I'm clueless :)
>
> Regards,
>
> Igmar

You are trying to send multicast packets over an interface that doesn't
support them. Been there, got the t-shirt, and now I run GRE Tunneling
over my ipsec0 interfaces to get around this =)

eth0 Link encap:Ethernet HWaddr 00:04:AC:56:EF:D4
          inet addr:172.21.101.1 Bcast:172.21.101.255 Mask:255.255.255.0
          inet6 addr: 3ffe:b80:13c2:1::1/64 Scope:Global
          inet6 addr: fe80::204:acff:fe56:efd4/10 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

ipsec0 Link encap:Ethernet HWaddr 00:04:AC:56:EF:D4
          inet addr:172.21.101.1 Mask:255.255.255.0
          inet6 addr: fe80::204:acff:fe56:efd4/10 Scope:Link
          UP RUNNING NOARP MTU:16260 Metric:1

Note the MULTICAST flag on eth0 - it's missing on ipsec0, because
multicast isn't supported over IPSec. Search the mailing list - there's
been a few discussions about this issue before, and some workarounds.
Running GRE over IPSec sounds like overkill, but there are some *very*
nice advantages of doing it - primarily, you can treat a Host to Host
tunnel as an open pipe, and just route add x.y.z.0/24 dev gretunname for
all your traffic.

I run zebra + bgpd over it myself - documentation on this config
forthcoming.

-- 
Ken Bantoft                The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca            http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"We can factor the number 15 with quantum computers. We 
can also factor the number 15 with a dog trained to bark 
three times."       -- Robert Harley, 5/12/01, Sci.crypt
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Boris Popov: "[Users] Tunnel disconnects after few min. Please help."
• Previous message: John A. Sullivan III: "Re: [Users] Need configuration help"
• In reply to: Igmar Palsenberg: "[Users] FreeSWAN + Novell NDS"
• Next in thread: Igmar Palsenberg: "Re: [Users] FreeSWAN + Novell NDS"
• Reply: Igmar Palsenberg: "Re: [Users] FreeSWAN + Novell NDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Mon Oct 07 2002 - 05:20:19 CEST