Date: Thu, 11 Jan 2001 12:45:11 +0000 From: Josef Karthauser <joe@tao.org.uk> To: itojun@iijlab.net Cc: freebsd-security@FreeBSD.ORG Subject: Interaction problem with IKE (racoon) and ipfw divert natd? Message-ID: <20010111124510.D3594@tao.org.uk> In-Reply-To: <29339.979215471@coconut.itojun.org>; from itojun@iijlab.net on Thu, Jan 11, 2001 at 09:17:51PM %2B0900 References: <20010111121144.B3594@tao.org.uk> <29339.979215471@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 11, 2001 at 09:17:51PM +0900, itojun@iijlab.net wrote: > > > >Is there some special handling of IKE packets in the kernel to allow > >this to work? > > yes, IKE has some special handling there. privileged user (root) > can set a socket policy to "bypass normal IPsec operation" via > setsockopt. IKE uses the functionality. > > IKE creates secret communication channel by its own. > IKE has two phases: > - phase 1, which establishes secret communication channel between > two IKE daemons. very early packets will be sent in clear, > but after that, IKE daemon will encrypt packets on its own. > - phase 2, which establishes IPsec SAs between two machines. > the commuication is protected by the secret communication channel > established by phase 1. > > RFC240[0-9] has more detailed (and way too complicated) descriptions. Thanks Itojun, that explains it perfectly. My second question pertains to using racoon on a machine that's got an IPFW running on it using divert to do NAT (via natd) for an internal private network. Imagine that this machine has everything closed (ipfw deny ip any to any) by default. To allow Racoon to communication I added: allow udp from HIM isakmp to ME isakmp allow udp from ME isakmp to HIM isakmp If I do a tcpdump I should be able to see isakmp packets flowing as key exchange does its thing. What actually happens is the the remote end sends an isakmp packet; I see it arrive with tcpdump, and the ipfw rule counts it. What happens next is that racoon here (ME) replies, the outgoing ipfw rule counts it, but it never appears on the wire anywhere! :( Strangely... if I move the 'allow udp from ME isakmp to HIM isakmp' to before the 'divert 8668 ip from any to any via fxp1' rule the packet does go out on the wire! I wonder whether this is a bug with natd. Both machines are round about RELENG_4 (far end HIM jan 4th, this end ME jan 10th). Any ideas how I can track this down? Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010111124510.D3594>