Date: Wed, 20 Nov 2002 09:20:44 +0100 (CET) From: "Patrick M. Hausen" <hausen@punkt.de> To: Archie Cobbs <archie@dellroad.org> Cc: Guido van Rooij <guido@gvr.org>, David Kelly <dkelly@HiWAAY.net>, Scott Ullrich <sullrich@CRE8.COM>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <200211200820.gAK8Ki6G041336@hugo10.ka.punkt.de> In-Reply-To: <200211200348.gAK3mhtT058983@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all! Archie Cobbs wrote: > Guido van Rooij wrote: > > The problem here is that there is a de-tunneled packet that has no > > new interface associated. What a mess :-( > > I'm confused. So, let me try to summarize things: > > Right now, if you use IPSec tunnel mode with a 'gif' interface, and > suppose your Ethernet driver is fxp0, then incoming packets will > pass through ipfw twice: first, as encrypted ESP packets and 'in > via fxp0', and again, as decrypted whatever packets and 'in via > gif0'. > > Is that correct?? Almost. This is how it _should_ be (IMHO). So one could setup strict firewall rules for "in via fxp0" while allowing RFC1918 to RFC1918 "in via gif0" when connecting two networks with FreeBSD boxes. Unfortunately the behavior I oberved, was: Incoming packet will pass through ipfw twice, as encrypted ESP packets and "in via fxp0" and again, as decrypted packets "in via fxp0" _again_! That was at the time of 4.4-R. I don't know the current state of affairs from my own experience, but as I read the this thread I felt a sudden urge to participate ;-) I can't say that behavior of the system is _wrong_, but it makes setting up firewall rules a pain. Especially if you want to build an all-singing-and-dancing Firewall-NAT-VPN box. I'm glad to see that this issue finally gets addressed. One question to Guido: why would it be necessary to add a new device - be it called esp0 or fxp_esp0 or similar - to tag the packets as coming from? Can't the decrypted packets just come from the already existing gif0 tunnel interface? Regards, Patrick M. Hausen Technical Director -- punkt.de GmbH Internet - Dienstleistungen - Beratung Scheffelstr. 17 a Tel. 0721 9109 -0 Fax: -100 76135 Karlsruhe http://punkt.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211200820.gAK8Ki6G041336>