EtherIP

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

EtherIP (RFC 3378) defines a technique for tunneling ethernet frames in IP datagrams, sometimes referred to as "layer 2 VPN" or "Ethernet over IP". Its main purpose is to simulate a extended wire between two layer 2 domains (switches) over a layer 3 (IP) network (such as the Internet) spanning different providers and geographical locations. This allows you to implement a more integrated network compared to regular layer 3 VPN networks.

Examples of useful scenarios are:

  • Integrate branch office networks completely with the head office
  • Hosted solutions where eg. offer a Microsoft ActiveDirectory (with DHCP et.c.) service in the cloud
  • Temporary solution while moving offices between two physical locations, where not everything can be moved at once

Some Internet providers offers this service in the own network with virtually no additional gain over EtherIP, but for an additional monthly cost and often/always with the constraint that you must have the same provider on both locations.

VMware ESXi

For EtherIP to work on a VMware ESXi, you need to accept "Promiscuous Mode" on the terminating vSwitch/VM Network. This setting may be found in the vSphere client under ESXi configuration > Configuration > Networking > vSwitchX/VM Network > Properties > Edit > Security [1]. However if you are concerned about internal security in your network, you should read and fully understand the implications of "Promiscuous Mode" [2].

Configuration

Below follows a partial example on how to bridge the second port (LAN) between two appliances (IP addresses needs to be swapped on the second location). This can of course be performed using the graphical web administration, as well.

interface bridge0 {
	link2
	member gif0
	member rl1
}
interface gif0 {
	tunnel 1.2.3.4 4.3.2.1
}
interface rl1 {
	description "LAN"
}

Additional firewall rules may be needed, depending on your setup. However, there are two rules that are more or less required, for normal operation. The first is to skip firewalling on the tunnel and bridge interfaces, because the firewall isn't concerned with Ethernet packets anyway. The second is to limit the max segment size (MSS) of the inbound packets, because of the encapsulation overhead.

firewall {
	set skip on skipped
	pass on l2lan scrub (no-df max-mss 1200)
	...	
}
interface bridge0 {
	link2
	member gif0
	member rl1
	group "skipped"
}
interface gif0 {
	tunnel 1.2.3.4 4.3.2.1
	group "skipped"
}
interface rl {
	description "LAN"
	group "l2lan"
}

Use with IPsec

If you would like to add encryption between these two endpoints, add a "Manual IPsec" policy with a additional flows. Eg.

ipsec {
	esp from 1.2.3.4 to 4.3.2.1 spi 0x1234:0x4321 authkey ... enckey ... label Layer2
	flow esp proto etherip from 1.2.3.4 to 4.3.2.1
}