Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Jan 2003 00:30:25 -0500
From:      "Ben Pfountz" <netprince@vt.edu>
To:        <freebsd-mobile@FreeBSD.ORG>
Subject:   Requireing IPsec on wi interface?
Message-ID:  <002301c2bb8e$0a85db90$6511a8c0@benspiece>

next in thread | raw e-mail | index | archive | help
I just fixed my wi interface by upgrading to 4.7-STABLE.  The upgrade was
required in order to prevent crashes caused by a nearby linksys access
point.  (see the thread if you wish)

I noticed that when I upgraded to 4.7-STABLE, the kernel has changed the way
ipfw handles IPsec packets.  After IPsec processes the packets, it passes
the packets to the firewall without the ESP flag set.  Before the upgrade to
4.7-STABLE, I was using the firewall to prevent all but ESP packets on that
interface.  Now, I cant figure out how to firewall all but IPsec packets on
my wireless interface.  I would like to get IPsec going instead of wep, but
I would need to somehow block non-ESP packets.  Anybody have any
suggestions?

Here is what I used before:

  # incoming dhcp requests
  ipfw add allow udp from any 68 to any 67 \
    in recv wi0

  # allow esp key exchange in
  ipfw add allow { tcp or udp } from ${LAN} to me 500 \
    in recv wi0

  # allow encrypted data in
  ipfw add allow { esp or ah } from ${LAN} to ${LAN} \
    in recv wi0

 # default rule is to block all

I heard you can block non-ipsec packets with the /etc/ipsec.conf file.  That
would be acceptable, if I could figure out how to do it.  Here is my
/etc/ipsec.conf file:

# mini-ben-wl (winXP)
spdadd 0.0.0.0/0 192.168.17.106/32 ip4 -P out ipsec
  esp/tunnel/192.168.17.100-192.168.17.106/require;
spdadd 192.168.17.106/32 0.0.0.0/0 ip4 -P in ipsec
  esp/tunnel/192.168.17.106-192.168.17.100/require;



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-mobile" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002301c2bb8e$0a85db90$6511a8c0>