From owner-freebsd-net Wed Dec 6 23:20:50 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 6 23:20:44 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by hub.freebsd.org (Postfix) with ESMTP id 0069A37B400; Wed, 6 Dec 2000 23:20:43 -0800 (PST) Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3]) by osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id JAA81936; Thu, 7 Dec 2000 09:20:40 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com> From: "Ari Suutari" To: , Subject: IPFW & IPsec tunnel mode Date: Thu, 7 Dec 2000 09:20:40 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have been setting up a VPN between two offices in same company using FreeBSD + KAME ipsec. Works OK otherwise, but I think that ipfw capabilities should be enhanced to understand more about ipsec. My setup is something like this: Office A uses network nnn.nnn.nnn.0 Office B uses network mmm.mmm.mmm.0 Both ones have FreeBSD 4.1 as firewall, office A has public address aaa.aaa.aaa.aaa and office B has public address bbb.bbb.bbb.bbb. First, I setup a IPsec policy to use tunnel mode between these networks, without using any ipfw rules (ie. ipfw pass ip from any to any). Works without any problems. Then, I limit traffice with ipfw: Office A's firewall: ipfw add pass esp from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa ipfw add pass esp from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb Office B's firewall: ipfw add pass esp from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb ipfw add pass esp from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa Now, ESP packets are allowed through. But of course, no services (example telnet) work, because they dont' have any ipfw pass rule that they match. OK, I added following rules to make telnet work: Office A's firewall: ipfw add pass tcp from any to any established ipfw add pass tcp from mmm.mmm.mmm.0/24 to nnn.nnn.nnn.0/24 23 setup Office B's firewall: ipfw add pass tcp from any to any established ipfw add pass tcp from nnn.nnn.nnn.0/24 to mmm.mmm.mmm.0/24 23 setup Now telnet works and it looks like all done. However, these last rules allow hosts in nnn.nnn.nnn.0 & mmm.mmm.mmm.0 to exchange telnet traffic without IPsec also, since there is no way to state in these rules that they should only match to packets coming from a specific IPsec tunnel. I were unable to sleep my mights peacefully because I realized that if someone in the internet disguises himself as nnn.nnn.nnn.0 or mmm.mmm.mm.0 host my IPsec protection can be bypassed (I also realize that not everyone is capable of doing something like this). So, I switched to using pipsecd which passes tunnel packets to tun-device and the problem was solved: I can add 'via tun0' to those last rules to make sure that they match only the packes coming from tunnel. However, pipsecd only supports fixed keys and Kame seems more like the future way to go. Would it be possible to enhance ipfw & kame to work together better in same way (like having some kind of name for each tunnel and allowing ipfw rule to use them in similar way as 'via' is used with interfaces) ? Ari S. Ari S. -- Ari Suutari Lemi, Finland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message