From owner-freebsd-net@FreeBSD.ORG Fri Jul 30 06:05:19 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 250C616A4D1 for ; Fri, 30 Jul 2004 06:05:19 +0000 (GMT) Received: from mail.star-sw.com (mail.star-sw.com [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 654D543D5D for ; Fri, 30 Jul 2004 06:05:18 +0000 (GMT) (envelope-from nkritsky@star-sw.com) Received: from ARGON.star-sw.com (argon.star-sw.com [217.195.82.10]) by mail.star-sw.com (8.12.11/8.12.11) with ESMTP id i6U64h3b021414; Fri, 30 Jul 2004 10:04:43 +0400 (MSD) Received: from ibmka.star-sw.com ([192.168.32.130]) by ARGON.star-sw.com with Microsoft SMTPSVC(5.0.2195.5329); Fri, 30 Jul 2004 10:04:43 +0400 Date: Fri, 30 Jul 2004 10:04:43 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <12410155296.20040730100443@star-sw.com> To: "Bjoern A. Zeeb" In-reply-To: References: <652582171.20040730075831@star-sw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 30 Jul 2004 06:04:43.0740 (UTC) FILETIME=[1BD4F9C0:01C475FB] cc: freebsd-net@freebsd.org Subject: Re[2]: ipsec packet filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jul 2004 06:05:19 -0000 Hello Bjoern, Friday, July 30, 2004, 9:04:49 AM, Bjoern A. Zeeb wrote: BAZ> I do not understand what your are trying to do but filitering ipsec BAZ> encrypted packets in ipfw is available for quite some time now. BAZ> I can and do check packets that: BAZ> - come in encrypted and leave unencrypted BAZ> - come in encrypted and leave encrypted BAZ> - come in encrypted and leave re-encrypted BAZ> - come in unencrypted and go out encrypted BAZ> - come in encrypted and do not leave the system OK. let's place a small demonstration. 217.195.82.43 <-->VPN_router1 <--> [---INTERNET---] | | 192.168.64.10 <---> VPN_router2 Traffic between 217.195.82.43 and 192.168.64.10 is encrypted by ipsec in esp/tunnel mode. Icmp is enabled, and pings go OK. Then I do (on VPN_router2): bash-2.05b# uname -sr FreeBSD 4.9-RELEASE bash-2.05b# ipfw add 1 count icmp from 192.168.64.10 to 217.195.82.43 in 00001 count icmp from 192.168.64.10 to 217.195.82.43 in bash-2.05b# ipfw add 1 count icmp from 192.168.64.10 to 217.195.82.43 out 00001 count icmp from 192.168.64.10 to 217.195.82.43 out bash-2.05b# ipfw sh 1 00001 0 0 count icmp from 192.168.64.10 to 217.195.82.43 in 00001 0 0 count icmp from 192.168.64.10 to 217.195.82.43 out after 4 pings from 217.195.82.43 to 192.168.64.10: bash-2.05b# ipfw sh 1 00001 4 240 count icmp from 192.168.64.10 to 217.195.82.43 in 00001 0 0 count icmp from 192.168.64.10 to 217.195.82.43 out while it obviously should be 4 of them in both rules. That is the problem that bothers me. To show that is not pure theoretical, here is the scenario: We need to establish VPN with our customer. They request us to NAT all our outgoing traffic, so that all packets will have the same src addr. natd translates rewrites src addr only on outgoing packets, but the outgoing packets never reach natd, because they don't make it thru ipfw rules. Tricky, eh? So I see 3 choices so far: 1. patch libalias 2. patch the kernel (ip_output.c ? ip_fw.c? ) 3. use two separate boxes for nating and ipsekking. so when you are saying: BAZ> - come in unencrypted and go out encrypted it is quite a surprise for me. What is your FreeBSD version? Can you confirm that with the test like above? -- Best regards, ; Nickolay A. Kritsky ; SysAdmin STAR Software LLC ; mailto:nkritsky@star-sw.com