From owner-freebsd-stable Wed Nov 20 0:21:12 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0208437B401 for ; Wed, 20 Nov 2002 00:21:11 -0800 (PST) Received: from hugo10.ka.punkt.de (kagate.punkt.de [217.29.33.131]) by mx1.FreeBSD.org (Postfix) with SMTP id 633EF43E9C for ; Wed, 20 Nov 2002 00:21:09 -0800 (PST) (envelope-from hausen@punkt.de) Received: from hugo10.ka.punkt.de (localhost [127.0.0.1]) by hugo10.ka.punkt.de (8.12.3/8.12.3) with ESMTP id gAK8KjZE041338; Wed, 20 Nov 2002 09:20:46 +0100 (CET) (envelope-from ry93@hugo10.ka.punkt.de) Received: (from ry93@localhost) by hugo10.ka.punkt.de (8.12.3/8.12.3/Submit) id gAK8Ki6G041336; Wed, 20 Nov 2002 09:20:44 +0100 (CET) From: "Patrick M. Hausen" Message-Id: <200211200820.gAK8Ki6G041336@hugo10.ka.punkt.de> Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS In-Reply-To: <200211200348.gAK3mhtT058983@arch20m.dellroad.org> To: Archie Cobbs Date: Wed, 20 Nov 2002 09:20:44 +0100 (CET) Cc: Guido van Rooij , David Kelly , Scott Ullrich , "'greg.panula@dolaninformation.com'" , FreeBSD-stable@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL92 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all! Archie Cobbs wrote: > Guido van Rooij wrote: > > The problem here is that there is a de-tunneled packet that has no > > new interface associated. What a mess :-( > > I'm confused. So, let me try to summarize things: > > Right now, if you use IPSec tunnel mode with a 'gif' interface, and > suppose your Ethernet driver is fxp0, then incoming packets will > pass through ipfw twice: first, as encrypted ESP packets and 'in > via fxp0', and again, as decrypted whatever packets and 'in via > gif0'. > > Is that correct?? Almost. This is how it _should_ be (IMHO). So one could setup strict firewall rules for "in via fxp0" while allowing RFC1918 to RFC1918 "in via gif0" when connecting two networks with FreeBSD boxes. Unfortunately the behavior I oberved, was: Incoming packet will pass through ipfw twice, as encrypted ESP packets and "in via fxp0" and again, as decrypted packets "in via fxp0" _again_! That was at the time of 4.4-R. I don't know the current state of affairs from my own experience, but as I read the this thread I felt a sudden urge to participate ;-) I can't say that behavior of the system is _wrong_, but it makes setting up firewall rules a pain. Especially if you want to build an all-singing-and-dancing Firewall-NAT-VPN box. I'm glad to see that this issue finally gets addressed. One question to Guido: why would it be necessary to add a new device - be it called esp0 or fxp_esp0 or similar - to tag the packets as coming from? Can't the decrypted packets just come from the already existing gif0 tunnel interface? Regards, Patrick M. Hausen Technical Director -- punkt.de GmbH Internet - Dienstleistungen - Beratung Scheffelstr. 17 a Tel. 0721 9109 -0 Fax: -100 76135 Karlsruhe http://punkt.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message