Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Nov 2002 09:20:44 +0100 (CET)
From:      "Patrick M. Hausen" <hausen@punkt.de>
To:        Archie Cobbs <archie@dellroad.org>
Cc:        Guido van Rooij <guido@gvr.org>, David Kelly <dkelly@HiWAAY.net>, Scott Ullrich <sullrich@CRE8.COM>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG
Subject:   Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS
Message-ID:  <200211200820.gAK8Ki6G041336@hugo10.ka.punkt.de>
In-Reply-To: <200211200348.gAK3mhtT058983@arch20m.dellroad.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi all!

Archie Cobbs wrote:

> Guido van Rooij wrote:
> > The problem here is that there is a de-tunneled packet that has no
> > new interface associated. What a mess :-(
> 
> I'm confused. So, let me try to summarize things:
> 
>   Right now, if you use IPSec tunnel mode with a 'gif' interface, and
>   suppose your Ethernet driver is fxp0, then incoming packets will
>   pass through ipfw twice: first, as encrypted ESP packets and 'in
>   via fxp0', and again, as decrypted whatever packets and 'in via
>   gif0'.
> 
> Is that correct??

Almost. This is how it _should_ be (IMHO). So one could setup
strict firewall rules for "in via fxp0" while allowing RFC1918
to RFC1918 "in via gif0" when connecting two networks with
FreeBSD boxes.

Unfortunately the behavior I oberved, was:

Incoming packet will pass through ipfw twice, as encrypted ESP packets
and "in via fxp0" and again, as decrypted packets "in via fxp0" _again_!
That was at the time of 4.4-R. I don't know the current state of
affairs from my own experience, but as I read the this thread I felt
a sudden urge to participate ;-)

I can't say that behavior of the system is  _wrong_, but it makes
setting up firewall rules a pain. Especially if you want to build
an all-singing-and-dancing Firewall-NAT-VPN box.

I'm glad to see that this issue finally gets addressed.

One question to Guido: why would it be necessary to add a new
device - be it called esp0 or fxp_esp0 or similar - to tag the
packets as coming from? Can't the decrypted packets just come
from the already existing gif0 tunnel interface?


Regards,

Patrick M. Hausen
Technical Director
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211200820.gAK8Ki6G041336>