From owner-freebsd-net Thu Jul 27 23:38:50 2000 Delivered-To: freebsd-net@freebsd.org Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by hub.freebsd.org (Postfix) with ESMTP id 4EA8437B663 for ; Thu, 27 Jul 2000 23:38:46 -0700 (PDT) (envelope-from ari@suutari.iki.fi) Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3]) by osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id JAA03457 for ; Fri, 28 Jul 2000 09:38:44 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <000801bff85e$a264ea00$0e05a8c0@intranet.syncrontech.com> From: "Ari Suutari" To: Subject: IPSEC tunnel mode & ipfw Date: Fri, 28 Jul 2000 09:39:51 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I would like to run IPsec in tunnel mode between two offices connected by internet. Works OK otherwise, but I cannot figure out how to use ipfw in this situation so that to result is secure. Assume a packet going from office A (192.168.1.xxx) to office B (192.168.2.xxx). Host in A (192.168.1.2) | Gateway/Firewall (192.168.1.1) | Internet | Gateway/Firewall (192.168.2.1) | Host in B (192.168.2.2) The gateway machines run FreeBSD 4.0 currently. When packet comes to firewall in office A, it is tunneled by IPsec and sent to gateway at office B via internet. No problem here. At office B i have ipfw rule, which allows IPsec AH packets to come from A's gateway. Firewall at B de-tunnels the packet and it hits firewall rules again. Now, for this to work I have to have a ipfw rule allowing packets from 192.168.1.xxx to 192.168.2.xxx, otherwise the de-tunneled packet is dropped by ipfw. When I add this rule, everything works fine. However, I'm a little bit worried, since this last rule would also allow packets through if someone pretends to be 192.168.1.xxx since there is no way to tell ipfw that the rule is valid only if the packet being examined has arrived through IPsec tunnel. I solved this temporarily by using pipsecd - now I can trust that packets coming from interface tun0 have gone through IPsec checks. However, I would like to use the functionality available in kernel. Any ideas anyone ? Ari S. -- Ari Suutari Lemi, Finland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message