Date: Mon, 4 Dec 2000 08:43:32 +0200 From: "Ari Suutari" <ari@suutari.iki.fi> To: "Dominick LaTrappe" <seraf@2600.com> Cc: <freebsd-net@freebsd.org> Subject: Re: filtering ipsec traffic (fwd) Message-ID: <001801c05dbd$859d1400$0e05a8c0@intranet.syncrontech.com> References: <Pine.NEB.4.21.0012011404440.20734-100000@phalse.2600.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
> On Fri, 1 Dec 2000, Ari Suutari wrote:
> > But what if we are running in IPsec tunnel mode ?
>
> Then there's no problem. Please read the original post.
I thought that I read it but maybe I didn't understand.
>
> > Last time I tried that adding on 'ipfw pass any from 192.168.x.x .....'
> > also allowed non-ipsec traffic between these nodes.
>
> Of course, because you didn't specify any particular protocol in the rule.
Hmmm (I tested this with FreeBSD 4.1). I didn't want any protocol
limitation between VPN sites, since they trust each other (they
are just different offices in same company). I just wanted that
between IPsec tunnel gateways only esp is allowed and there
are no limitations betwen VPN sites *EXCEPT* that packets
must be coming through IPsec tunnel. So what I was missing
is something like
ipfw pass any from 192.168.x.x to .... via this-ipsec-tunnel
I am able to configure system this way when using pipsecd, since
it passes traffic coming from tunnel to tunX device.
> > This is a security hole, which allows someone to
> > send packets with spoofed source address to your system.
>
> IP spoofing is a routing issue, totally irrelevant to this thread.
The spoofing was only one problem that comes to my mind
with this. The real problem is that I wasn't able to force use
of IPsec with ipfw + kame.
Ari S.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001801c05dbd$859d1400$0e05a8c0>