From owner-freebsd-net  Mon Jan 20 16:31:53 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 54A7537B401
	for <freebsd-net@freebsd.org>; Mon, 20 Jan 2003 16:31:52 -0800 (PST)
Received: from fever.boogie.com (cpe-66-87-52-132.co.sprintbbd.net [66.87.52.132])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 98BD443F43
	for <freebsd-net@freebsd.org>; Mon, 20 Jan 2003 16:31:51 -0800 (PST)
	(envelope-from durian@boogie.com)
Received: from man.boogie.com (man.boogie.com [192.168.1.3])
	by fever.boogie.com (8.12.6/8.12.6) with ESMTP id h0L0VoS4001481;
	Mon, 20 Jan 2003 17:31:51 -0700 (MST)
	(envelope-from durian@boogie.com)
Content-Type: text/plain;
  charset="us-ascii"
From: Mike Durian <durian@boogie.com>
To: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Question about IPsec and double ipfilter processing
Date: Mon, 20 Jan 2003 17:31:49 -0700
User-Agent: KMail/1.4.3
Cc: freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200301201731.49942.durian@boogie.com>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

I was looking through the FreeBSD mailing list archives trying to figure
out why ipfilter is filtering on both encapsulated ESP packets and the
decrypted packets (NetBSD says it should only filter on the line packets)=
,
when I saw a relevent posting.  It looks like other people are frustrated=
 by
this double processing too.

In a message Pekka Nikander says:

=09From the security point of view this does not matter so much,
=09since the IPsec code is taking care of the protection and
=09dropping those packets.

Can you clarify on this.  In order to allow a peer network, 192.168.2.0/2=
4,
to connect to my network via a VPN, I need to pass ESP (fine) and
then also 192.168.2.0/24 packets (I'm not so happy about this).  Does
your statement above imply the IPsec code will somehow filter non-ESP
encapsulated packets from 192.168.2.0/24 thus protecting me from spoof
attacks even though the firewall would appear to allow it?

Thanks,
mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message