From owner-freebsd-security@FreeBSD.ORG Fri May 17 01:22:45 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1D7E2430 for ; Fri, 17 May 2013 01:22:45 +0000 (UTC) (envelope-from dd@ouido.net) Received: from mail.ouido.net (mail.ouido.net [198.107.153.116]) by mx1.freebsd.org (Postfix) with ESMTP id 08960A59 for ; Fri, 17 May 2013 01:22:44 +0000 (UTC) Received: from dorothy.ouido.net (localhost [127.0.0.1]) by mail.ouido.net (Postfix) with ESMTP id D04CCAC9D0 for ; Thu, 16 May 2013 18:14:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at ouido.net Received: from mail.ouido.net ([127.0.0.1]) by dorothy.ouido.net (dorothy.ouido.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUxjEyRe8mc6 for ; Thu, 16 May 2013 18:14:53 -0700 (PDT) Received: from c160-dhcp.localdomain (unknown [76.72.147.60]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dd@ouido.net) by mail.ouido.net (Postfix) with ESMTPSA id 7E204AC9D8 for ; Thu, 16 May 2013 18:14:53 -0700 (PDT) From: Daniel Duerr Subject: PF + gif + ipsec + racoon + routing problems results in insecure ipsec vpn Message-Id: <7B4DFFE4-1689-4A48-B756-4272F0B7809D@ouido.net> Date: Thu, 16 May 2013 18:15:12 -0700 To: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) X-Mailer: Apple Mail (2.1503) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 May 2013 01:22:45 -0000 Hi everyone, I wrote up a post on the FreeBSD forums about the issue I am having. = It's rather long so I am providing a link to it here: = http://forums.freebsd.org/showthread.php?t=3D39595 In summary, it seems that when the packets are routed in to the gateway = from local network hosts, the src and dst addresses are changed to the = public IPs of the tunnel -- at least from the perspective of the ipsec = stack. This is breaking the ESP encryption in certain cases. I found a = workaround, but it is not what is documented in the handbook. In short, if you setup a vpn per the FreeBSD Handbook article that I = mention in my post, you are left with a most-insecure vpn which you = believe is secure. Traffic is only secure *between* the two gateways, = but *not* between hosts behind those gateways (i.e. private hosts at = either site). (I apologize in advance if I'm breaking a mailing list rule by pointing = you all to the forum URL -- I'm somewhat new to the list). Thanks, Daniel