From owner-freebsd-net@FreeBSD.ORG Mon Mar 13 13:04:45 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E05F16A41F for ; Mon, 13 Mar 2006 13:04:45 +0000 (UTC) (envelope-from jonas@servicefactory.se) Received: from ark.servicefactory.se (ark.servicefactory.se [217.13.255.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4721843D55 for ; Mon, 13 Mar 2006 13:04:43 +0000 (GMT) (envelope-from jonas@servicefactory.se) Received: from [127.0.0.1] (ark.servicefactory.se [217.13.255.29]) by ark.servicefactory.se (8.12.11/8.12.10) with ESMTP id k2DD4ZON002838 for ; Mon, 13 Mar 2006 14:04:35 +0100 (CET) (envelope-from jonas@servicefactory.se) Message-ID: <44156D6C.7050605@servicefactory.se> Date: Mon, 13 Mar 2006 14:02:36 +0100 From: =?ISO-8859-1?Q?Jonas_B=FClow?= Organization: Service Factory User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051205 X-Accept-Language: en-us, en, sv MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: IPSec and packet filtering in FreeBSD 6.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 13:04:45 -0000 Hi, I have some question regarding IPSec and it's use togoether with packet filtering in FreeBSD 6.0. The network picture is shown here: C<---->A<---->B<---->@ C = Client, i.e windows PC. A = Some WaveLAN AP with IPSec/tunnel functionality. E.g. Cisco, Ericsson, Netgear, D-Link... B = FreeBSD 6.0 box acting as gateway. @ = Internet The AP A tunnels the network C is on to B through a IPSec-tunnel. B terminates the IPSec-tunnel. The IPSec configuration in B is "by the book" using a gif-interface to ease routing configuration and allow packet originate in B. So far, everything works fine. The problems arise when B performs packet filtering on the tunneled traffic from A. First observation is that, when using IPSec/tunnel-mode, nothing is seen with tcpdump on the gif-interface. It seems like the bpf-hook on the gif-interface is not called. Neither does IPFilter see any packets on the gif-interface. Running tcpdump on the physical interface towards A, I see the encapsulated traffic. Using ipfilter's log option I can see the encapsulated traffic and the decapsulated *incoming* traffic. Outgoing traffic, to be encapsulated by IPSec/tunnel, is not seen. As a consequence it is only possible to filter decapsulated incoming traffic. IPFilter is used for legacy reasons. The same problems seems to apply to ipfw. Another issue is if A is a DHCP relay and B is the DHCP server. As bpf is not working on gif interfaces, ISC_DHCP will not work. Even if bpf should work on gif, ISC-DHCP does work on interfaces with link-type NULL. I guess this last problem is just "a small matter of programming" to fix. I will happily contribute patches for this when I've solved the bigger IPSec/tunnel problem above. The kernel is compiled with IPSEC_FILTERGIF. Has anyone succeeded with a setup similar to this one? Is there some obvious tweaks to do to make it work? I've read someware on this list IPSec should be on the pfil interface. Is someone working in that direction? Is there any other plan on chaning the integration of IPSec in FreeBSD? If someone can redirect me to current work on IPSec, I would be glad to help. /j