Date: Fri, 28 Jul 2000 09:39:51 +0300 From: "Ari Suutari" <ari@suutari.iki.fi> To: <freebsd-net@freebsd.org> Subject: IPSEC tunnel mode & ipfw Message-ID: <000801bff85e$a264ea00$0e05a8c0@intranet.syncrontech.com>
next in thread | raw e-mail | index | archive | help
Hi,
I would like to run IPsec in tunnel mode between
two offices connected by internet. Works OK otherwise,
but I cannot figure out how to use ipfw in this situation
so that to result is secure. Assume a packet
going from office A (192.168.1.xxx) to office B (192.168.2.xxx).
Host in A (192.168.1.2)
|
Gateway/Firewall (192.168.1.1)
|
Internet
|
Gateway/Firewall (192.168.2.1)
|
Host in B (192.168.2.2)
The gateway machines run FreeBSD 4.0 currently.
When packet comes to firewall in office A, it is
tunneled by IPsec and sent to gateway at office B via
internet. No problem here. At office B i have ipfw rule,
which allows IPsec AH packets to come from
A's gateway. Firewall at B de-tunnels the packet and it
hits firewall rules again. Now, for this to work
I have to have a ipfw rule allowing packets
from 192.168.1.xxx to 192.168.2.xxx, otherwise the
de-tunneled packet is dropped by ipfw. When I add this
rule, everything works fine.
However, I'm a little bit worried, since this last rule
would also allow packets through if someone pretends
to be 192.168.1.xxx since there is no way to tell ipfw
that the rule is valid only if the packet being examined
has arrived through IPsec tunnel.
I solved this temporarily by using pipsecd - now I can
trust that packets coming from interface tun0 have
gone through IPsec checks. However, I would like
to use the functionality available in kernel.
Any ideas anyone ?
Ari S.
--
Ari Suutari <ari@suutari.iki.fi>
Lemi, Finland
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801bff85e$a264ea00$0e05a8c0>