From owner-freebsd-net  Sun Dec  3 22:43:43 2000
From owner-freebsd-net@FreeBSD.ORG  Sun Dec  3 22:43:41 2000
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4])
	by hub.freebsd.org (Postfix) with ESMTP id E3A2A37B401
	for <freebsd-net@freebsd.org>; Sun,  3 Dec 2000 22:43:40 -0800 (PST)
Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3])
	by osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id IAA76655;
	Mon, 4 Dec 2000 08:43:32 +0200 (EET)
	(envelope-from ari@suutari.iki.fi)
Message-ID: <001801c05dbd$859d1400$0e05a8c0@intranet.syncrontech.com>
From: "Ari Suutari" <ari@suutari.iki.fi>
To: "Dominick LaTrappe" <seraf@2600.com>
Cc: <freebsd-net@freebsd.org>
References: <Pine.NEB.4.21.0012011404440.20734-100000@phalse.2600.com>
Subject: Re: filtering ipsec traffic (fwd) 
Date: Mon, 4 Dec 2000 08:43:32 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

> On Fri, 1 Dec 2000, Ari Suutari wrote:
> >     But what if we are running in IPsec tunnel mode ?
>
> Then there's no problem.  Please read the original post.

    I thought that I read it but maybe I didn't understand.
>
> > Last time I tried that adding on 'ipfw pass any from 192.168.x.x .....'
> > also allowed non-ipsec traffic between these nodes.
>
> Of course, because you didn't specify any particular protocol in the rule.

    Hmmm (I tested this with FreeBSD 4.1). I didn't want any protocol
    limitation between VPN sites, since they trust each other (they
    are just different offices in same company). I just wanted that
    between IPsec tunnel gateways only esp is allowed and there
    are no limitations betwen VPN sites *EXCEPT* that packets
    must be coming through IPsec tunnel. So what I was missing
    is something like

    ipfw pass any from 192.168.x.x to .... via this-ipsec-tunnel

    I am able to configure system this way when using pipsecd, since
    it passes traffic coming from tunnel to tunX device.

> > This is a security hole, which allows someone to
> > send packets with spoofed source address to your system.
>
> IP spoofing is a routing issue, totally irrelevant to this thread.

    The spoofing was only one problem that comes to my mind
    with this. The real problem is that I wasn't able to force use
    of IPsec with ipfw + kame.

        Ari S.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message