[Ipsec-tools-devel] Re proxy ARP
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
[Ipsec-tools-devel] Re proxy ARP
|
From: Gregory H. N. <gr...@ne...> - 2004-09-21 22:53:42
|
as i thought i was talking out my **** i see arp and fncy routing is not needed with racoon as it is with freeswan and the kernel seems to take care of the traffic auto magicaly ... this is nice to know ... here is my test setup 1)linux boxen (2.6.8.1) with racoon 1 set to generate policy one set with following spdadd 0.0.0.0/0 10.10.255.22/32 any -P in ipsec esp/tunnel/192.168.0.1-192.168.0.103/require; spdadd 10.10.255.22/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.0.103-192.168.0.1/require; the ohther box runs pppoe-server so i can simulate a dial up 192.168.0.1 is the server address [alias to eth0 10.10.255.1 the main neteork] 2)on the initioator i add a dummy interface with the 10.10.255.22 address then set up all packets to be sent from this address (not interface) via the ppp modprobe dummy ip link set dummy0 up ip addr add 10.10.255.22/32 dev dummy0 ip route add 0/0 via 192.168.0.1 dev ppp0 src 10.10.255.22 3)if i ping any thing magic happens and the SA comes up and i can ping .22 from other machines but checking the ARP there is no entry that i was expecting to have to add to allow users on the road the ability to access the network with there ip's with no changes ... damm this is good as we would say here in south africa ... "eish dis woone eish she is strong" when i add a alias to the dummy and ping it from the server i get a responce and a arp entry is added by the kernel to the ether net card .. so it looks like the kernel internals are really hard and work well ... now just to add iptable rules so that the system wont see the traffic as spoofed and reject it when applying ingress/egress filters ... you got to love the dummy interface :) -- ------------- Gregory Hinton Nietsky Email: gr...@ne... Jabber: irroot <ir...@di...> Yahoo: gregnietsky MSN: gr...@di... ICQ: 281096462 <irroot> Gadu-Gadu: 5262483 <irroot> AIM: irrootza -- This message has been scanned for viruses and dangerous content by Network Sentry, and is believed to be clean. http://www.networksentry.co.za |