Date: Mon, 29 Oct 2001 16:23:55 +0000 From: tariq_rashid@lineone.net To: sakane@kame.net Cc: freebsd-security@freebsd.org Message-ID: <E15yFCd-0007ne-00@mk-smarthost-2.mail.uk.worldonline.com>
next in thread | raw e-mail | index | archive | help
you may remember that i've been setting up a star-topology network (hub-and-spoke) - with the spoke-networks dialing up with dynamic IPs. ... and using isakmpd on FreeBSD4.4
well - after weeks of sweating and some help (from yourself included!) - its nearly there!
I need a pointer to the kenel/kame code for this one....
subnet A]----(gw-A) ------
10.8.0.0/16 |
|---(cenral hub gw-H)---[subnet-H]
| 10.0.7.2 10.0.0.0/16
subnet B]----(gw-B) ------|
10.9.0.0/16
... with others like C,D,E ...
* each "spoke" network ipsec gateway must has isakmpd.conf to set up SPDs which
catch all the whole subnet. That is, on gw-A, the SPD would say:
10.8.0.0/16[any] 10.0.0.0/8[any] any out ipsec ...
10.0.0.0/8[any] 10.8.0.0/16[any] any in ipsec ...
* we need this so that each gw-A,B,C,etc does not need to know about any other spoke-subnet
so 10.8.0.3 -> 10.12.0.3 will work with no special SPD for 10.12/16
Now - the problem with this is that these "wide catching" spd also catch and encapsulate traffic from the localhost to the localhost, and also traffic from the localhost to the protected subnet.
eg 10.8.0.1 (gw-A) -> 10.8.0.1 --------> fails (encapsulated)
eg 10.8.0.1 (gw-A) -> 10.8.0.5 --------> fails (encapsulated)
.. resulting in a routing loop?
SOLUTION: i tried using ipfw and ipf to catch these two cases and try to pass them out... but experiments shows that this failed... the rules work ... but as soon as teh SPDs switch on, the traffic is caught by kame ipsec BEFORE the firewall rules can get at them.
So - i must resort to hacking the kernel to make the exception:
if (traffic from localnet to localnet)
{ do not encapsulate, throw out on interface }
elseif (traffic from localnet to non-localnet)
{ let ipsec/kame/spd do the matching and encapsulation };
where in the FreeBSD-4.4Release code should I start - i've done some kernel work on linux but not FreeBSD yet...
thanks
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E15yFCd-0007ne-00>