IPSec and packet filtering in FreeBSD 6.0

Jonas Bülow jonas at servicefactory.se
Mon Mar 13 13:04:45 UTC 2006


I have some question regarding IPSec and it's use togoether with packet
filtering in FreeBSD 6.0.

The network picture is shown here:


C = Client, i.e windows PC.
A = Some WaveLAN AP with IPSec/tunnel functionality. E.g. Cisco,
     Ericsson, Netgear, D-Link...
B = FreeBSD 6.0 box acting as gateway.
@ = Internet

The AP A tunnels the network C is on to B through a IPSec-tunnel. B
terminates the IPSec-tunnel. The IPSec configuration in B is "by the 
book" using a gif-interface to ease routing configuration and allow 
packet originate in B.

So far, everything works fine. The problems arise when B performs packet
filtering on the tunneled traffic from A.

First observation is that, when using IPSec/tunnel-mode, nothing is
seen with tcpdump on the gif-interface.  It seems like the bpf-hook on
the gif-interface is not called. Neither does IPFilter see any
packets on the gif-interface.

Running tcpdump on the physical interface towards A, I see the
encapsulated traffic. Using ipfilter's log option I can see the
encapsulated traffic and the decapsulated *incoming* traffic. Outgoing
traffic, to be encapsulated by IPSec/tunnel, is not seen. As a
consequence it is only possible to filter decapsulated incoming

IPFilter is used for legacy reasons. The same problems seems to apply
to ipfw.

Another issue is if A is a DHCP relay and B is the DHCP server. As bpf
is not working on gif interfaces, ISC_DHCP will not work.

Even if bpf should work on gif, ISC-DHCP does work on interfaces with
link-type NULL. I guess this last problem is just "a small matter of
programming" to fix. I will happily contribute patches for this when
I've solved the bigger IPSec/tunnel problem above.

The kernel is compiled with IPSEC_FILTERGIF.

Has anyone succeeded with a setup similar to this one? Is there some
obvious tweaks to do to make it work?

I've read someware on this list IPSec should be on the pfil
interface. Is someone working in that direction? Is there any other
plan on chaning the integration of IPSec in FreeBSD?

If someone can redirect me to current work on IPSec, I would be glad
to help.


More information about the freebsd-net mailing list