Date: Thu, 7 Dec 2000 09:20:40 +0200 From: "Ari Suutari" <ari@suutari.iki.fi> To: <freebsd-net@freebsd.org>, <freebsd-ipfw@freebsd.org> Subject: IPFW & IPsec tunnel mode Message-ID: <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com>
next in thread | raw e-mail | index | archive | help
Hi, I have been setting up a VPN between two offices in same company using FreeBSD + KAME ipsec. Works OK otherwise, but I think that ipfw capabilities should be enhanced to understand more about ipsec. My setup is something like this: Office A uses network nnn.nnn.nnn.0 Office B uses network mmm.mmm.mmm.0 Both ones have FreeBSD 4.1 as firewall, office A has public address aaa.aaa.aaa.aaa and office B has public address bbb.bbb.bbb.bbb. First, I setup a IPsec policy to use tunnel mode between these networks, without using any ipfw rules (ie. ipfw pass ip from any to any). Works without any problems. Then, I limit traffice with ipfw: Office A's firewall: ipfw add pass esp from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa ipfw add pass esp from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb Office B's firewall: ipfw add pass esp from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb ipfw add pass esp from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa Now, ESP packets are allowed through. But of course, no services (example telnet) work, because they dont' have any ipfw pass rule that they match. OK, I added following rules to make telnet work: Office A's firewall: ipfw add pass tcp from any to any established ipfw add pass tcp from mmm.mmm.mmm.0/24 to nnn.nnn.nnn.0/24 23 setup Office B's firewall: ipfw add pass tcp from any to any established ipfw add pass tcp from nnn.nnn.nnn.0/24 to mmm.mmm.mmm.0/24 23 setup Now telnet works and it looks like all done. However, these last rules allow hosts in nnn.nnn.nnn.0 & mmm.mmm.mmm.0 to exchange telnet traffic without IPsec also, since there is no way to state in these rules that they should only match to packets coming from a specific IPsec tunnel. I were unable to sleep my mights peacefully because I realized that if someone in the internet disguises himself as nnn.nnn.nnn.0 or mmm.mmm.mm.0 host my IPsec protection can be bypassed (I also realize that not everyone is capable of doing something like this). So, I switched to using pipsecd which passes tunnel packets to tun-device and the problem was solved: I can add 'via tun0' to those last rules to make sure that they match only the packes coming from tunnel. However, pipsecd only supports fixed keys and Kame seems more like the future way to go. Would it be possible to enhance ipfw & kame to work together better in same way (like having some kind of name for each tunnel and allowing ipfw rule to use them in similar way as 'via' is used with interfaces) ? Ari S. Ari S. -- Ari Suutari <ari@suutari.iki.fi> Lemi, Finland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001301c0601e$34cab880$0e05a8c0>