Filtering on IPSEC

David DeSimone fox at verio.net
Thu Jan 12 02:38:07 UTC 2012


Alex Dupre <ale at FreeBSD.org> wrote:
>
> I've setup my first IPSEC VPN beetween FreeBSD 8.2 and CheckPoint
> VPN-1. I've used a gif interface for the tunnel, setkey for security
> policies and racoon for ikev1.

I've peered with Checkpoint VPN's using FreeBSD but I never needed to
use gif interfaces to make it happen.  FreeBSD's tunnel-mode IPSEC seems
to interoperate quite well with Checkpoint's implementation.

You should be able to match tunneled traffic using SPD's like so:

spdadd 10.27.37.0/24    172.30.101.0/24  any -P in  ipsec esp/tunnel/192.250.40.23-238.55.55.15/unique;
spdadd 172.30.101.0/24  10.27.37.0/24    any -P out ipsec esp/tunnel/238.55.55.15-192.250.40.23/unique;

With the matching 'sainfo' sections in racoon's config:

sainfo  address  10.27.37.0/24 any   address  172.30.101.0/24 any
{
    lifetime            time    1 hour;

    encryption_algorithm        aes;
    authentication_algorithm    hmac_sha1;
    compression_algorithm       deflate;
}

sainfo  address  172.30.101.0/24 any   address  10.27.37.0/24 any
{
    lifetime            time    1 hour;

    encryption_algorithm        aes;
    authentication_algorithm    hmac_sha1;
    compression_algorithm       deflate;
}

> All is working fine, but I get a strange behavior: outgoing packets go
> via enc0, while incoming packets arrive in gif0.

Admittedly, I had set all this up back in the FreeBSD 6.x days,
before the 'enc0' interface was invented, so I can't speak to how the
traffic flow works exactly, but it still seems to me that using gif is
needlessly complicating your setup, so you may want to simplify it.

-- 
David DeSimone == Network Admin == fox at verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.


More information about the freebsd-net mailing list