|MiNi0n|
November 5th, 2002, 16:09
Hey...

So... I posted to misc@openbsd then realized... shit... I should post here to my peers :oops:

I'm trying to IPSEC a wireless bridge that connects two buildings, using the IPSEC bridge info detailed in brconfig 8.

I've got the setup close but it's not quite there. Have a look and see if you all can help me out!:

Here's the general layout. f1 and f2 represent the OBSD boxes acting as bridges and IPSECing the connection across the wireless equipment (BR500). The PC's on either end of the bridge are on the same subnet, this is key for my setup else I'd have done this differently!

PC\............................................... .................../PC
PC- hub - f1 - BRE500 ~~~~ BRE500 - f2 - hub -PC
PC/.................................................. ................\PC



I'm currently testing this using the IPSEC bridge info found in brconfig(8) and am almost there. I have two OBSD boxes between my wirless now and I arbitrarily set the IP's to 192.168.254.1 and 192.168.254.2. The bridge NIC's have the majority of my network on one side and a box on the other side attempting to DHCP via the bridge. 192.168.254.1 and .2 can ping each other and I've setup ipsec flows according to the man page. If I tcpdump on the NIC's I can see all the network traffic on the bridge interface of 192.168.254.1, I can see esp traffic heading to and fro the IPSEC boxes and I can see the DHCP requests on the bridge interface of 192.168.254.2. However, the traffic never seems to reach the other side... ie. I don't see all the network traffic (arp etc.) on side of .2 and I never see the bootp DHCP reach the other side of .1?!?!

I'm missing something small here. I have to admit I'm not all that familiar with ipsecadm, I use isakmpd for all my VPN's. I like the concept of hardwiring these links with ipsecadm in this scenario and am enjoying the learning process. But, one thing I notice with ipsecadm is that when I set up the flows on one box, before I set up the one on the other, netstat -rn and /kern/ipsec show an SA?!?! Basically, I'm wondering, how do I ensure that there is a valid tunnel there?

Below are the params I'm using for the bridges.

---host br1: fxp0: 192.168.254.1 fxp1: bridged---

brconfig bridge0 add gif0 add fxp1

ifconfig gif0 giftunnel 192.168.254.1 192.168.254.2

ipsecadm new esp -spi 4242 -dst 192.168.254.2 -src 192.168.254.1 -enc blf -auth sha1 -keyfile /root/keyfile -authkeyfile /root/authkeyfile

ipsecadm flow -dst 192.168.254.2 -out -transport etherip -require -addr 192.168.254.1 255.255.255.0 192.168.254.2 255.255.255.0

ifconfig fxp1 up
ifconfig gif0 up

brconfig bridge0 up

---host br2: le1: 192.168.254.2 fxp0: bridged---

brconfig bridge0 add gif0 add fxp0

ifconfig gif0 giftunnel 192.168.254.2 192.168.254.1

ipsecadm new esp -spi 4242 -dst 192.168.254.1 -src 192.168.254.2 -enc blf -auth sha1 -keyfile /root/keyfile -authkeyfile /root/authkeyfile

ipsecadm flow -dst 192.168.254.1 -out -transport etherip -require -addr 192.168.254.2 255.255.255.0 192.168.254.1 255.255.255.0

ifconfig fxp0 up
ifconfig gif0 up

brconfig bridge0 up

elmore
November 7th, 2002, 16:04
Has this gone anywhere? The thing I don;t understand is how you can route between one subnet? Perhaps you could leave the IP scheme alone and just change the mask? Then again you might as well change your ip scheme. I'm going to work on this at my house over the weekend. I've been meaning to test some new stuff out with my wireless bridge anyways. ;)

|MiNi0n|
November 7th, 2002, 21:17
Well, I've got it working for the most part... sorta.... kinda. I can make the bridge work just dandy without the IPSEC part :roll:

The routing is done with the gif interface... actually... routing is the wrong word. These boxes just pass info back and forth to one another via the gif interface... see the man page for that. My trouble is when I try to push the gif through an IPSEC tunnel created with ipsecadm. Everything appears to be set up correctly but... the traffic nevers gets through to the bridge interfaces on each end. You can see all the encrypted esp traffic between the two boxes.

Weird. I think I'm missing something with ipsecadm.

|MiNi0n|
November 7th, 2002, 22:10
Hmmmm

So... I RTFM, then I RTFM again.... hmmm.... then I RTFM, slept on it, RTFM a few more times, took a day off from it, then RTFM tonight and bingo bango :idea: . I know the trouble. Anyone care to place a wager (say a tasty-golden-fermented-hops-nectar-of-the-gods type wager) that I resolve it in the A.M. tomorrow??!?!?!

C'mon....

Oh... all this success (fingers crossed) is predicated on my having luckily stumbled across a post from Angelos K. suggesting that net.inet.etherip.allow needed to be enabled. Did that, which helped... :lol: . That, BTW, is nowhere to be found in TFM :evil:

I'll fill in the rest tomorrow and let you know if my assumption is correct.

elmore
November 8th, 2002, 23:37
So ummmm...... should we have taken that bet or what?

|MiNi0n|
November 9th, 2002, 15:12
Oh, I got it working alright :lol:

The damn man page for brconfig is... shall we say... "loosely" written in regards to the IPSEC bridge.

Reading the FAQ for ipsec manual keying on openbsd.org set me straight for the most part.

Works well, only trouble is there appears to a be a significant loss in performance (read bandwidth). This has mostly to do with the fact that each side of the bridge has a card listening in promiscuous mode which is very intensive :(