From owner-freebsd-stable Thu Nov 21 0:53:14 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C53EF37B401 for ; Thu, 21 Nov 2002 00:53:12 -0800 (PST) Received: from hugo10.ka.punkt.de (kagate.punkt.de [217.29.33.131]) by mx1.FreeBSD.org (Postfix) with SMTP id 4FAC943E6E for ; Thu, 21 Nov 2002 00:53:11 -0800 (PST) (envelope-from hausen@punkt.de) Received: from hugo10.ka.punkt.de (localhost [127.0.0.1]) by hugo10.ka.punkt.de (8.12.3/8.12.3) with ESMTP id gAL8qsZE076630; Thu, 21 Nov 2002 09:52:54 +0100 (CET) (envelope-from ry93@hugo10.ka.punkt.de) Received: (from ry93@localhost) by hugo10.ka.punkt.de (8.12.3/8.12.3/Submit) id gAL8qscD076629; Thu, 21 Nov 2002 09:52:54 +0100 (CET) From: "Patrick M. Hausen" Message-Id: <200211210852.gAL8qscD076629@hugo10.ka.punkt.de> Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS In-Reply-To: <200211210837.gAL8b4Se080747@sep.oldach.net> To: Helge Oldach Date: Thu, 21 Nov 2002 09:52:54 +0100 (CET) Cc: "Patrick M. Hausen" , archie@dellroad.org, guido@gvr.org, dkelly@HiWAAY.net, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL92 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all! Helge Odach wrote: > > One question to Guido: why would it be necessary to add a new > > device - be it called esp0 or fxp_esp0 or similar - to tag the > > packets as coming from? Can't the decrypted packets just come > > from the already existing gif0 tunnel interface? > > Essentially because you don't need to use a gif interface at all if > you implement ESP tunnel mode. The only purpose for gif is to get the > routing straight, which is: You have a route to the remote inside > network via the gif interface, and you have a "public" route via the > real interface. Correct. > You can as well implement this by placing the internal route to an IP > address which has a static ARP entry with the MAC address of the public > default gateway. Been there, it works. Personally, I think the "locally connected subnet" method with a gif interface is simpler and better to recognise, but that's just my opinion ;-) > The core problem is that we have a single routing table only, and hence > we have a mix of internal and public routes. Consequently we will see > both internal and external packets on interfaces. Therefore I don't see > the need for an extra interface. Well, in this case - what would you suggest to differentiate packets that come in for the first time and packets that have been decrypted and come in again? If I have a setup with two LANs with RFC 1918 addresses coupled via two VPN boxes over the Internet, I need to: - deny packets with RFC 1918 addresses, when they come in from the Internet - but pass ESP and AH in when coming from the peer - divert everything else that is explicitely allowed to natd This part is quite easy. - at the same time pass RFC 1918 to RFC 1918 _without_ NAT if it _is_ a decrypted packet coming from the remote LAN This part is impossible at the moment with tunnel mode and ipfw. So you end up passing everything from private to private and cross your fingers - or use two machines on each side. The main point is - packet already seen and decrypted or not? I think I need to be able to check for this fact in ipfw rules. A separate interface for decrypted traffic would be _one_ possible method. Got a better one? Regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Scheffelstr. 17 a Tel. 0721 9109 -0 Fax: -100 76135 Karlsruhe http://punkt.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message