Date: Fri, 21 Sep 2001 09:56:58 +0100 From: Brian Somers <brian@freebsd-services.com> To: Sameh Ghane <sw@anthologeek.net> Cc: freebsd-net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: ipfilter and IPSec processing order Message-ID: <200109210857.f8L8v0R34477@hak.lan.Awfulhak.org> In-Reply-To: Message from Sameh Ghane <sw@anthologeek.net> of "Fri, 21 Sep 2001 10:26:45 %2B0200." <20010921102645.D77863@anthologeek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I can't answer your question specifically as I've never used
ipfilter, but it's certainly possible to use natd at the same time as
IPSEC... the vital thing is to ensure that no traffic is altered by
both engines.
Using a gif tunnel (which you are already) and encrypting only ipencap
traffic in your spdadd/transport policy should mean that the nat
engine either sees regular traffic (that should be NATd) or ipencap
traffic (which shouldn't be NATd, and won't as the src address is the
gateway address).
So the bit you may be missing is the ``ip4'' bit in the setkey spdadd
line....
> Hi,
>
> I use an IPSec tunnel (transport mode + gif) between two FreeBSD 4.3-p19
> gateways, using ipfilter(v3.4.20 (264)) as packet filter.
>
> With no particular statement about IPSec, I get this message:
>
> Sep 21 10:10:24 fw ipmon[94]: 10:10:23.578447 fxp0 @0:80 b 213.41.X.Y ->
> 213.41.W.Z PR ipencap len 20 (104) OUT
> when I try to make my packets go out.
>
> Fine. I let protocol IP ENCAP (4) go through the firewall.
>
> Then, I get: Sep 21 10:13:40 fw ipmon[94]: 10:13:39.593013 fxp0 @0:90 b
> 213.41.W.Z -> 213.41.X.Y PR esp len 20 (136) IN
> when packets come back to the gateway.
>
> Fine. I let protocol ESP(50) go through the firewall.
>
> I can now ping the both ends of the tunnel. Because I explicitely allowed ICMP
> to go through ipf rules. Unfortunately, when I try to telnet the other side of
> the tunnel, on HTTP's port, using the private network adresses:
>
> Sep 21 10:15:43 fw ipmon[94]: 10:15:42.698858 fxp0 @0:91 b 192.168.202.17,80 ->
> 192.168.1.1,1259 PR tcp len 20 44 -AS IN
>
> responses are not allowed to come back.
>
> I even tried to put stateful rules for the private networks:
>
> pass out quick proto tcp from 192.168.0.0/17 to 192.168.128.0/17 keep state
>
> Unsuccessfully.
>
> So I am wondering, why is ipfilter seeing the packet twice: once encapsulated,
> once decaspulated ?
>
> I looked at freebsd-net, -security, and ipfilter mailing lists, with no success.
>
> NetBSD states that:
> « Since February 2001, on NetBSD-current, ipf(4)/IPsec interaction was
> clarified as below:
> ipf(4) looks at packets in native wire format only. ipf(4) looks at
> packets before IPsec processing on inbound, and after IPsec processing on
> outbound. »
>
> Is it done on FreeBSD ? Why can't it be done ( I read threads where people
> stated that packet filter and IPSec interaction was an unsolvable problem).
>
> And even if the packet goes twice through the packet filter, why can't I use
> stateful rules ? Hum !?
>
> Cheers,
>
> --
> Sameh
--
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109210857.f8L8v0R34477>