Date: Fri, 28 Jul 2000 09:39:51 +0300 From: "Ari Suutari" <ari@suutari.iki.fi> To: <freebsd-net@freebsd.org> Subject: IPSEC tunnel mode & ipfw Message-ID: <000801bff85e$a264ea00$0e05a8c0@intranet.syncrontech.com>
next in thread | raw e-mail | index | archive | help
Hi, I would like to run IPsec in tunnel mode between two offices connected by internet. Works OK otherwise, but I cannot figure out how to use ipfw in this situation so that to result is secure. Assume a packet going from office A (192.168.1.xxx) to office B (192.168.2.xxx). Host in A (192.168.1.2) | Gateway/Firewall (192.168.1.1) | Internet | Gateway/Firewall (192.168.2.1) | Host in B (192.168.2.2) The gateway machines run FreeBSD 4.0 currently. When packet comes to firewall in office A, it is tunneled by IPsec and sent to gateway at office B via internet. No problem here. At office B i have ipfw rule, which allows IPsec AH packets to come from A's gateway. Firewall at B de-tunnels the packet and it hits firewall rules again. Now, for this to work I have to have a ipfw rule allowing packets from 192.168.1.xxx to 192.168.2.xxx, otherwise the de-tunneled packet is dropped by ipfw. When I add this rule, everything works fine. However, I'm a little bit worried, since this last rule would also allow packets through if someone pretends to be 192.168.1.xxx since there is no way to tell ipfw that the rule is valid only if the packet being examined has arrived through IPsec tunnel. I solved this temporarily by using pipsecd - now I can trust that packets coming from interface tun0 have gone through IPsec checks. However, I would like to use the functionality available in kernel. Any ideas anyone ? Ari S. -- Ari Suutari <ari@suutari.iki.fi> Lemi, Finland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801bff85e$a264ea00$0e05a8c0>