Date: Fri, 21 Sep 2001 09:56:58 +0100 From: Brian Somers <brian@freebsd-services.com> To: Sameh Ghane <sw@anthologeek.net> Cc: freebsd-net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: ipfilter and IPSec processing order Message-ID: <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org> In-Reply-To: Message from Sameh Ghane <sw@anthologeek.net> of "Fri, 21 Sep 2001 10:26:45 %2B0200." <20010921102645.D77863@anthologeek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I can't answer your question specifically as I've never used =
ipfilter, but it's certainly possible to use natd at the same time as =
IPSEC... the vital thing is to ensure that no traffic is altered by =
both engines.
Using a gif tunnel (which you are already) and encrypting only ipencap =
traffic in your spdadd/transport policy should mean that the nat =
engine either sees regular traffic (that should be NATd) or ipencap =
traffic (which shouldn't be NATd, and won't as the src address is the =
gateway address).
So the bit you may be missing is the ``ip4'' bit in the setkey spdadd =
line....
> Hi,
> =
> I use an IPSec tunnel (transport mode + gif) between two FreeBSD 4.3-p1=
9
> gateways, using ipfilter(v3.4.20 (264)) as packet filter.
> =
> With no particular statement about IPSec, I get this message:
> =
> Sep 21 10:10:24 fw ipmon[94]: 10:10:23.578447 fxp0 @0:80 b 213.41.X.Y -=
>
> 213.41.W.Z PR ipencap len 20 (104) OUT =
> when I try to make my packets go out.
> =
> Fine. I let protocol IP ENCAP (4) go through the firewall.
> =
> Then, I get: Sep 21 10:13:40 fw ipmon[94]: 10:13:39.593013 fxp0 @0:90 b=
> 213.41.W.Z -> 213.41.X.Y PR esp len 20 (136) IN =
> when packets come back to the gateway.
> =
> Fine. I let protocol ESP(50) go through the firewall.
> =
> I can now ping the both ends of the tunnel. Because I explicitely allow=
ed ICMP
> to go through ipf rules. Unfortunately, when I try to telnet the other =
side of
> the tunnel, on HTTP's port, using the private network adresses:
> =
> Sep 21 10:15:43 fw ipmon[94]: 10:15:42.698858 fxp0 @0:91 b 192.168.202.=
17,80 ->
> 192.168.1.1,1259 PR tcp len 20 44 -AS IN =
> =
> responses are not allowed to come back.
> =
> I even tried to put stateful rules for the private networks:
> =
> pass out quick proto tcp from 192.168.0.0/17 to 192.168.128.0/17 keep=
state
> =
> Unsuccessfully.
> =
> So I am wondering, why is ipfilter seeing the packet twice: once encaps=
ulated,
> once decaspulated ?
> =
> I looked at freebsd-net, -security, and ipfilter mailing lists, with no=
success.
> =
> NetBSD states that:
> =AB Since February 2001, on NetBSD-current, ipf(4)/IPsec interacti=
on was
> clarified as below: =
> ipf(4) looks at packets in native wire format only. ipf(4) loo=
ks at
> packets before IPsec processing on inbound, and after IPsec processing =
on
> outbound. =BB
> =
> Is it done on FreeBSD ? Why can't it be done ( I read threads where peo=
ple
> stated that packet filter and IPSec interaction was an unsolvable probl=
em).
> =
> And even if the packet goes twice through the packet filter, why can't =
I use
> stateful rules ? Hum !?
> =
> Cheers,
> =
> -- =
> Sameh
-- =
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109210857.f8L8v0R34477>