From owner-freebsd-security Mon Nov 12 18:14:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp5.cluster.oleane.net (smtp5.cluster.oleane.net [195.25.12.27]) by hub.freebsd.org (Postfix) with ESMTP id C0A4B37B418 for ; Mon, 12 Nov 2001 18:14:40 -0800 (PST) Received: from diabolic-cow.chatgris.net (c2ce7707.fsp.oleane.fr [194.206.119.7]) by smtp5.cluster.oleane.net with ESMTP id fAD2EVb68813; Tue, 13 Nov 2001 03:14:32 +0100 (CET) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id 5D82C1D5; Tue, 13 Nov 2001 03:14:38 +0100 (CET) Date: Tue, 13 Nov 2001 03:14:38 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: Lamont Granquist Cc: FreeBSD Security List Subject: Re: Bump-in-the-Road IPsec? Message-ID: <20011113031438.A45472@diabolic-cow.chatgris.net> References: <20011112164936.F538-100000@coredump.scriptkiddie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20011112164936.F538-100000@coredump.scriptkiddie.org>; from lamont@scriptkiddie.org on Mon, Nov 12, 2001 at 04:57:39PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 12, 2001 at 04:57:39PM -0800, Lamont Granquist wrote: > > I'm trying to implement a transparent IPsec gateway and am wondering if I > can make it work under FreeBSD? What I want is a transparent bridge which > will encrypt communications between a set of machines on two different > subnets with real IP numbers. Something like: > > > other servers > | > Server1 -- SG1 --+-- Router - - - INET - - - Router --- SG2 --- Server2 > > > Server1 should have a real IP address, SG1 should have at least one real > IP address on one of its interfaces for administration. Server1 should be > able to talk to the other servers on its subnet with SG1 acting like a > transpart bridge. Server1 should also be able to talk to machines on the > internet through the router, unecrypted. However, for talking to Server2 > (also with a real IP address) the traffic should go between SG1 and SG2 > encrypted. > > I've tried doing this with OpenBSD and have run into a problem in that I > can setup the transparent bridge, but from SG1 i cannot connect to > Server1 (the routing tables and the bridging tables don't seem to > communicate with each other). On OpenBSD, use the gif device, along with IPSec in transport mode and the same bridge setup as described below. Btw, the OpenBSD approach is probably faster (completely kernel-based) and need less overhead (no udp headers) than the FreeBSD solution. > Can I make something like this work under FreeBSD and what kind of magic > do I need to do? On FreeBSD I would use /usr/ports/net/vtun/ with a tap(4) device. VTun is a pretty neat tuneling software. It can do {ip,ethernet,tty,pipe}-in-{udp,tcp}. It can also compress and/or encrypt the tcp or udp stream after the encapsulation stage. Since its crypt machinery is a bit too 'simple', you could use IPSec in transport mode do encrypt its streams. other servers | a b | b a Server1 -- SG1 --+-- Router - - - INET - - - Router --- SG2 --- Server2 Vtun will create a tap(4) pseudo-interface. You can (hopefuly) do with this interface everything you can do with a real interface. On SG1, create two bridges : - SG1a + SG1b - SG1a + tap0 Same thing on SG2 : - SG2a + SG2b - SG2a + tap0 Simply for completeness, there's an ongoing port of FreeBSD's tap device to OpenBSD. But using gifs is probably better on OpenBSD. PS: I didn't tested such a setup, but it should work, modulo bugs :) -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message