Date: Sun, 7 Jul 2002 21:31:33 +0200 From: Paul Schenkeveld <fb-stable@psconsult.nl> To: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: IPsec and IPfilter interaction Message-ID: <20020707213133.A56630@psconsult.nl>
next in thread | raw e-mail | index | archive | help
Hi All, (Not sure if this is the right list to discuss this, point me to a better list please if I'm wrong.) I'm trying to set up a small VPN between two Internet connected LANs. See below for the details. Now I try to configure IPfilter. I'd like to filter all VPN traffic as soon as it comes out of the tunnel but the traffic never passes the gif0 interface as explained in http://asherah.dyndns.org/~josh/ipsec-howto.txt (got there from the FreeBSD handbook, chapter 10.9, through the link to http://www.daemonnews.org/200101/ipsec-howto.html): The configuration of the SPD for tunnel mode is very similar to that of transport mode. The major change that is done is the use of the gif(4) device to get the routing correct. Note that traffic is *not* transported through the gif(4) tunnel! Instead the IPsec code in the kernel grabs the packets according to the specified policy and wraps them with the correct IP addresses for the IPsec tunnel. Tunnel traffic coming in on the external interface (fxp1) all looks like "proto ah" to IPfilter. It looks like I cannot access the TCP, UDP or ICP payload at this point, which makes sense to me. Does this mean that I can only filter TCP, UDP, ICMP traffic coming out of the tunnel when it leaves the firewall thru the internal interface (fxp0)? So all listening sockets inside the firewall are completely open to traffice coming from the tunnel? Or am I wrong here and is there a way to completely screen all tunnel traffic after the IPsec encapsulation is peeled off? Regards, Paul Schenkeveld ........................................................................ The configuration is as follows: 10.0.1.0/24 internal LAN ------+---------------------------------- | +-----------+ | fxp0 | | firewall1 | | fxp1 | +-----------+ | a.b.c.d +------> Internet <------+ | e.f.g.h +-----------+ | fxp1 | | firewall2 | | fxp0 | +-----------+ | -------------------------------+--------- 10.0.2.0/24 internal LAN I've set up IPsec as follows: On firewall1: # rc.conf ifconfig_fxp0="inet 10.0.1.1 netmask 255.255.255.0" ifconfig_fxp1="inet a.b.c.d netmask x.x.x.x" ifconfig_gif0="inet 10.0.1.1 10.0.2.1" gifconfig_gif0="a.b.c.d e.f.g.h" static_routes="10_0_2" route_10_0_2="-net 10.0.2.0 -netmask 255.255.255.0 10.0.2.1" # ipsec.conf spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec esp/tunnel/a.b.c.d-e.f.g.h/require ah/transport/a.b.c.d-e.f.g.h/require; spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec esp/tunnel/e.f.g.h-a.b.c.d/require ah/transport/e.f.g.h-a.b.c.d/require; add a.b.c.d e.f.g.h esp 0x10001 -E blowfish-cbc ... -A keyed-md5 ...; add e.f.g.h a.b.c.d esp 0x10002 -E blowfish-cbc ... -A keyed-md5 ...; add a.b.c.d e.f.g.h ah 0x10003 -A keyed-md5 ...; add e.f.g.h a.b.c.d ah 0x10004 -A keyed-md5 ...; On firewall2: # rc.conf ifconfig_fxp0="inet 10.0.2.1 netmask 255.255.255.0" ifconfig_fxp1="inet e.f.g.h netmask x.x.x.x" ifconfig_gif0="inet 10.0.2.1 10.0.1.1" gifconfig_gif0="e.f.g.h a.b.c.d" static_routes="10_0_1" route_10_0_1="-net 10.0.1.0 -netmask 255.255.255.0 10.0.1.1" # ipsec.conf spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec esp/tunnel/e.f.g.h-a.b.c.d/require ah/transport/e.f.g.h-a.b.c.d/require; spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec esp/tunnel/a.b.c.d-e.f.g.h/require ah/transport/a.b.c.d-e.f.g.h/require; add a.b.c.d e.f.g.h esp 0x10001 -E blowfish-cbc ... -A keyed-md5 ...; add e.f.g.h a.b.c.d esp 0x10002 -E blowfish-cbc ... -A keyed-md5 ...; add a.b.c.d e.f.g.h ah 0x10003 -A keyed-md5 ...; add e.f.g.h a.b.c.d ah 0x10004 -A keyed-md5 ...; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020707213133.A56630>