On Tue, Jan 15, 2002 at 01:34:29PM +0100, Alex Le Heux wrote:
> >
> > But doesn't ipsec stack already take care of this ? I think (hope)
> > that is doesn't process the packet if it is coming from wrong tunnel
> > because the packet does not match the policy.
>
> I'm not sure if it a
On Tue, Jan 15, 2002 at 02:22:17PM +0200, Ari Suutari wrote:
> Hi,
>
> On Tuesday 15 January 2002 14:18, Alex Le Heux wrote:
> >
> > > Maybe one could remove this, add 'ipsec' flag to ipfw
> > > (which would use the above ipsec_gethist to match it)
> > > so the syntax would be something
Hi,
On Tuesday 15 January 2002 14:18, Alex Le Heux wrote:
>
> > Maybe one could remove this, add 'ipsec' flag to ipfw
> > (which would use the above ipsec_gethist to match it)
> > so the syntax would be something like this:
> >
> > ipfw add pass tcp from a to b ipsec setup # m
On Tue, Jan 15, 2002 at 09:42:37AM +0200, Ari Suutari wrote:
> Hi,
>
> On Monday 14 January 2002 19:55, Rene de Vries wrote:
> > Kshitij,
> > A good solution, from my point of view, would be, instead of passing
> > evering thing from an ipsec tunnel, using ip-filter (&co, but without
> > dummye
Hi,
On Monday 14 January 2002 19:55, Rene de Vries wrote:
> Kshitij,
> A good solution, from my point of view, would be, instead of passing
> evering thing from an ipsec tunnel, using ip-filter (&co, but without
> dummyet) on emerging packets. These packets should then have a different
> inter
Gif tunnels are not the samething as ipsec tunnels. For one some ipsec
implementations simply won't work with gif tunnels. Furthermore the
administrative overhead when there are more than a few tunnels is
enormous. It is much simpler to have racoon do some (a lot) of the work
for you. Say, fo
nday, January 13, 2002 10:32 PM
> To: [EMAIL PROTECTED]
> Subject: Filtering packets received through an ipsec tunnel
>
>
> Hello,
>
>> This message was already posted to [EMAIL PROTECTED], but with
>> limited success. I'm hoping that someone on [EMAIL PROTECTED
> He was referring to using gif tunnels together with IPsec tunnel mode
> SAs (are you?) This "works" but precisely because of the side effect
> that Louis mentioned. A clean solution would user *either* IPIP tunnels
> (i.e. gif devices) and IPsec transport mode *or* IPsec tunnel mode (and
> no gi
Blaz Zupan wrote:
>>And before you suggest that the gif tunnels seen in all those IPSEC
>>examples actually have anything to do with IPSEC tunnels, please try
>>it and look again. It's completely uninvolved other than introducing
>>a route as a side-effect.
>>
>
> I'm not sure what you mean her
> And before you suggest that the gif tunnels seen in all those IPSEC
> examples actually have anything to do with IPSEC tunnels, please try
> it and look again. It's completely uninvolved other than introducing
> a route as a side-effect.
I'm not sure what you mean here, but shouldn't the follo
ived through an ipsec tunnel
...
I am worried about giving the network at the other end of the tunnel full
access to mine. In only a few of the many possible IPSec implementations do
both ends of the tunnel follow the same security policies. And even then I
might want to use filtering.
...
The problem, of course, is that tunnel-mode IPSEC is too coarse a
mechanism to implement security policy for some people. Imagine if
you will that you're using IPSEC in an "extranet" situation; that is,
to secure communication between two different parties. Perhaps between
you and your supplier
IL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Alex Le Heux
> Sent: Monday, January 14, 2002 6:43 PM
> To: Kshitij Gunjikar
> Cc: [EMAIL PROTECTED]
> Subject: Re: Filtering packets received through an ipsec tunnel
>
>
> Hi,
>
> I don't think this is quite
Heux
Sent: Monday, January 14, 2002 6:43 PM
To: Kshitij Gunjikar
Cc: [EMAIL PROTECTED]
Subject: Re: Filtering packets received through an ipsec tunnel
Hi,
I don't think this is quite correct.
The fact that I have a tunnel means I have some relation with the other
network, and that I do
10:32 PM
> To: [EMAIL PROTECTED]
> Subject: Filtering packets received through an ipsec tunnel
>
>
> Hello,
>
> > This message was already posted to [EMAIL PROTECTED], but with
> > limited success. I'm hoping that someone on [EMAIL PROTECTED] can give me
> &g
Hello
IPSec Tunnel security is working like this: You have to permit traffic to
the Tunnel, this you can du with Access-Lists on a Firewall (ie ipfw)
In the Tunnel, only permitted traffic will be transmitted, so you don't have
to filter packets comming from the IPSec Tunnel. It's not interesting
ailto:[EMAIL PROTECTED]]On Behalf Of Rene de Vries
Sent: Sunday, January 13, 2002 10:32 PM
To: [EMAIL PROTECTED]
Subject: Filtering packets received through an ipsec tunnel
Hello,
> This message was already posted to [EMAIL PROTECTED], but with
> limited success. I'm hoping that s
Hello,
> This message was already posted to [EMAIL PROTECTED], but with
> limited success. I'm hoping that someone on [EMAIL PROTECTED] can give me
> some more information.
By experimenting with ipsec and looking at the source of "ip_input.c" a
co-worker and I found the following out.
When a
18 matches
Mail list logo
