Date: Thu, 7 Dec 2000 09:20:40 +0200 From: "Ari Suutari" <ari@suutari.iki.fi> To: <freebsd-net@freebsd.org>, <freebsd-ipfw@freebsd.org> Subject: IPFW & IPsec tunnel mode Message-ID: <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com>
next in thread | raw e-mail | index | archive | help
Hi,
I have been setting up a VPN between two offices in
same company using FreeBSD + KAME ipsec. Works OK
otherwise, but I think that ipfw capabilities should be enhanced
to understand more about ipsec.
My setup is something like this:
Office A uses network nnn.nnn.nnn.0
Office B uses network mmm.mmm.mmm.0
Both ones have FreeBSD 4.1 as firewall, office A has
public address aaa.aaa.aaa.aaa and office B has
public address bbb.bbb.bbb.bbb.
First, I setup a IPsec policy to use tunnel mode
between these networks, without using any ipfw rules
(ie. ipfw pass ip from any to any). Works without any
problems.
Then, I limit traffice with ipfw:
Office A's firewall:
ipfw add pass esp from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa
ipfw add pass esp from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb
Office B's firewall:
ipfw add pass esp from aaa.aaa.aaa.aaa to bbb.bbb.bbb.bbb
ipfw add pass esp from bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa
Now, ESP packets are allowed through. But of course, no services
(example telnet) work, because they dont' have any ipfw pass rule
that they match. OK, I added following rules to make telnet work:
Office A's firewall:
ipfw add pass tcp from any to any established
ipfw add pass tcp from mmm.mmm.mmm.0/24 to nnn.nnn.nnn.0/24 23 setup
Office B's firewall:
ipfw add pass tcp from any to any established
ipfw add pass tcp from nnn.nnn.nnn.0/24 to mmm.mmm.mmm.0/24 23 setup
Now telnet works and it looks like all done. However, these last rules allow
hosts in nnn.nnn.nnn.0 & mmm.mmm.mmm.0 to exchange telnet traffic
without IPsec also, since there is no way to state in these rules that
they should only match to packets coming from a specific IPsec tunnel.
I were unable to sleep my mights peacefully because I realized that
if someone in the internet disguises himself as nnn.nnn.nnn.0 or
mmm.mmm.mm.0 host
my IPsec protection can be bypassed (I also realize that not everyone is
capable
of doing something like this). So, I switched to using pipsecd which passes
tunnel packets to tun-device and the problem was solved: I can add
'via tun0' to those last rules to make sure that they match only
the packes coming from tunnel.
However, pipsecd only supports fixed keys and Kame seems more
like the future way to go. Would it be possible to enhance ipfw & kame
to work together better in same way (like having some kind of name for
each tunnel and allowing ipfw rule to use them in similar way as
'via' is used with interfaces) ?
Ari S.
Ari S.
--
Ari Suutari <ari@suutari.iki.fi>
Lemi, Finland
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001301c0601e$34cab880$0e05a8c0>