Bug 77299

Summary: Syntax Errors in commands for IPSEC in Handbook
Product: Documentation Reporter: Loren M. Lang <lorenl>
Component: Books & ArticlesAssignee: Tom Rhodes <trhodes>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Loren M. Lang 2005-02-09 10:20:14 UTC 
      In the VPN over IPSEC section of the FreeBSD Handbook, there are a couple of errors in the configuration.  First, the route command he uses is "route add 192.168.2.0 192.168.2.1 netmask 0xffffff00"  The work netmask does not belong in there, it should be "route add 192.168.2.0 192.168.2.1 0xffffff00"  The error is repeated in the summary of the first part which the line 'route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"'  Again, the word netmask should be removed.  Also, in configuring the IPSEC rules he uses the following lines:

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;

This is incorrect as he is already tunneling the data through gif0, he creates a tunnel inside of a tunnel.  This can be confirmed by changing the protocol from esp to ah and sniffing the network as traffic is crossing.  You will see two identical tunnels inside one-another.  The correct fix is to either not use the gif interface or change the lines above to:

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/transport//require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/transport//require;

Also, in setting up the gif tunnel, he mentions that FreeBSD 5.x has the command gifconfig merged into ifconfig, but does not offer an example.  I think it would be helpful to show the correct command which would be:

ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff tunnel W.X.Y.Z A.B.C.D

And, of course swapped for the second router.  Lastly, he didn't talk about how to use ah in combination with esp.  An example like:

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/transport//require ah/transport//require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/transport//require ah/transport//require;

Which will wrap the tunnel inside esp inside ah inside the outer ip protocol would probably be a good example to put in.  I am also interested in using ipcomp as well, but I have yet to figure out how to set it up correctly, maybe a quick demo of that would be nice.

Fix: 

Remove the word netmask on all lines pertaining to the route command.

Don't use a gif tunnel for ipsec or change the ipsec.conf file to read:

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/transport//require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/transport//require;

Offer ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff tunnel W.X.Y.Z A.B.C.D as an example for FreeBSD 5.x

Offer the following configuration for people trying to use esp inside of ah: 

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/transport//require ah/transport//require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/transport//require ah/transport//require;

Add a short example on setting up ipcomp.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2005-02-09 13:50:04 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-doc

Documentation bug.
Comment 2 Tom Rhodes freebsd_committer freebsd_triage 2005-03-01 09:24:19 UTC 
State Changed
From-To: open->closed

Patch applied with some small formatting and word tweaks, 
thanks for the submission!
Comment 3 Tom Rhodes freebsd_committer freebsd_triage 2005-03-01 09:24:19 UTC 
Responsible Changed
From-To: freebsd-doc->trhodes

Over to me, last person to touch this PR.