Re[2]: ipsec packet filtering

Thu, 29 Jul 2004 23:05:32 -0700 

Hello Bjoern,

Friday, July 30, 2004, 9:04:49 AM, Bjoern A. Zeeb wrote:
BAZ> I do not understand what your are trying to do but filitering ipsec
BAZ> encrypted packets in ipfw is available for quite some time now.
BAZ> I can and do check packets that:
BAZ> - come in encrypted and leave unencrypted
BAZ> - come in encrypted and leave encrypted
BAZ> - come in encrypted and leave re-encrypted
BAZ> - come in unencrypted and go out encrypted
BAZ> - come in encrypted and do not leave the system

OK. let's place a small demonstration.

217.195.82.43 <-->VPN_router1 <--> [---INTERNET---]
                                         |
                                         |
                 192.168.64.10 <---> VPN_router2

Traffic between 217.195.82.43 and 192.168.64.10 is encrypted by ipsec
in esp/tunnel mode.
Icmp is enabled, and pings go OK.
Then I do (on VPN_router2):
bash-2.05b# uname -sr
FreeBSD 4.9-RELEASE
bash-2.05b# ipfw add 1 count icmp from 192.168.64.10 to 217.195.82.43 in
00001 count icmp from 192.168.64.10 to 217.195.82.43 in
bash-2.05b# ipfw add 1 count icmp from 192.168.64.10 to 217.195.82.43 out
00001 count icmp from 192.168.64.10 to 217.195.82.43 out
bash-2.05b# ipfw sh 1
00001       0          0 count icmp from 192.168.64.10 to 217.195.82.43 in
00001       0          0 count icmp from 192.168.64.10 to 217.195.82.43 out

after 4 pings from 217.195.82.43 to 192.168.64.10:

bash-2.05b# ipfw sh 1
00001       4        240 count icmp from 192.168.64.10 to 217.195.82.43 in
00001       0          0 count icmp from 192.168.64.10 to 217.195.82.43 out

while it obviously should be 4 of them in both rules.

That is the problem that bothers me.
To show that is not pure theoretical, here is the scenario:
We need to establish VPN with our customer. They request us to NAT all
our outgoing traffic, so that all packets will have the same src addr.
natd translates rewrites src addr only on outgoing packets, but the
outgoing packets never reach natd, because they don't make it thru
ipfw rules. Tricky, eh? So I see 3 choices so far:
1. patch libalias
2. patch the kernel (ip_output.c ? ip_fw.c? )
3. use two separate boxes for nating and ipsekking.

so when you are saying:
BAZ> - come in unencrypted and go out encrypted
it is quite a surprise for me.
What is your FreeBSD version? Can you confirm that with the test like
above?

-- 
Best regards,
;  Nickolay A. Kritsky
; SysAdmin STAR Software LLC
; mailto:[EMAIL PROTECTED]


_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to