RE: [Users] FreeSWAN and gated

From: Paul Krumviede (pwk_at_acm.org)
Date: Tue Oct 08 2002 - 20:36:43 CEST

• Next message: Joe Patterson: "RE: [Users] FreeSWAN and gated"
• Previous message: Stephen J. Bevan: "Re: [Users] Valid Freeswan Configuration"
• In reply to: Joe Patterson: "RE: [Users] FreeSWAN and gated"
• Next in thread: Joe Patterson: "RE: [Users] FreeSWAN and gated"
• Reply: Joe Patterson: "RE: [Users] FreeSWAN and gated"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

--On Tuesday, 08 October, 2002 11:22 -0400 Joe Patterson
<jpatterson_at_asgardgroup.com> wrote:

> Yes and no. Running a routing protocol over an ipsec connection is
> problematic in several ways.
>
> First, with the notable exception of bgp, most routing protocols use
> broadcast or multicast to communicate with their neighbors. Ipsec
> interfaces are unicast only.
>
> Second, ipsec configurations specify a security policy, which can
> translate to a routing policy. Unless your routing protocol is capable of
> transmitting policy information (and none of them are), then you will end
> up with a route going through an interface that will reject the packets
> because of their source, even though their destination is theoretically
> reachable.

there is one exception to this: using something like IPsec to to secure
BGP itself. using the MD5 TCP option has the flaw of not authenticating
things like TCP resets (or anything else with no payload), so something
like IPsec can be useful, and one can avoid the use of pre-shared keys.

but this is not a case where one is using the routing protocol to announce
the IPsec tunnels. and the fact that frees/wan doesn't currently support
traffic selection at the port level might make use of it undesirable, as all
traffic between the endpoints would be run over the IPsec tunnel.

> The solution to this is to run ipsec in transport mode (although this is
> not necessary, tunnel mode will also work) and run some other
> encapsulation protocol (my favorite is GRE) over top of it. Then run
> your routing protocol over the encapsulated protocol. The virtual
> interface created by the encapsulation protocol will be point-to-point,
> but multicast-capable. It will also have no implicit routing policy.

agreed. one thing to be careful of here is which interfaces the
routing protocol should ignore...

depending on the routing protocol(s) in question, one might want
to try running zebra rather than gated, as the freely available versions
of gated are sort of old.

-paul

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Joe Patterson: "RE: [Users] FreeSWAN and gated"
• Previous message: Stephen J. Bevan: "Re: [Users] Valid Freeswan Configuration"
• In reply to: Joe Patterson: "RE: [Users] FreeSWAN and gated"
• Next in thread: Joe Patterson: "RE: [Users] FreeSWAN and gated"
• Reply: Joe Patterson: "RE: [Users] FreeSWAN and gated"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Oct 09 2002 - 05:20:23 CEST