IP SEC filtering issue
agoodloe at saul.cis.upenn.edu
Sun Jun 1 06:28:30 PDT 2003
Thanks for your advice.
On Fri, 30 May 2003, Nielsen wrote:
> >From experience I've found you have to break these things up on
> different machines. I don't have an intimate knowledge of how and when
> the IPSEC processing gets done it the kernel, and maybe if someone did
> they could figure out how and if you could do all of this on single
> But in our case, we break down the tasks between machines (traffic
> splitter, ipsec processing, etc...) and it works like a charm. It's
> also *much* easier to figure out what's wrong, heh. The machines don't
> have to be powerful.
> ----- Original Message -----
> From: "Alwyn Goodloe" <agoodloe at saul.cis.upenn.edu>
> To: <freebsd-security at FreeBSD.ORG>
> Sent: Wednesday, May 28, 2003 14:44
> Subject: IP SEC filtering issue
> > First thing to note is that I am using FreeBSD 4.8 .
> > We would like to send only the syn packet of a tcp connection
> > certain ipsec tunnels and the rest of the packets in a connection
> > a simple transport mode setup. Yeah, I know it's strange but what
> can I
> > say -- we do a lot of strange things. From the best I can tell, the
> > setkey/spadd filtering capability isn't sophisticated enough to
> > syn packets. Since ipfw does do this sort of thing we can use this
> > filter out the syn packet and using divert sockets (we have a lot
> > experience at writing divert sockets) we can put a wrapper
> > around it so that it goes to a particular port. Since ip sec can
> filter on
> > ports, we can just filter that out. The process should look
> > like:
> > syn ---> diverted and wrapped to head for port X ---->
> > ipsec filters on port X sends it into tunnel .........
> > ........... ipsec does its thing ---> divert socket unwraps --->
> > the packet on its way (not passing though ip sec again).
> > The divert socket solution seems to work fine on the sending side,
> > there seems to be problems on the receiving side. I suspect that
> ipfw is
> > looking at the packet before ipsec or some such thing. I know that
> > were postings about the interaction of ipfw and ipsec and that some
> > these were going to be fixed in 4.8.
> > If any of you know of a way to get ipsec to filter on syn packets
> let me
> > know. If you have ever tried to get divert sockets and ip sec
> working at
> > the same time let me know the secret. I suspect I'm just going to
> > to hack the ipsec filter to get it to filter on syn packets. Any
> ideas as
> > to how hard this will be
> > Alwyn Goodloe
> > agoodloe at saul.cis.upenn.edu
> > _______________________________________________
> > freebsd-security at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security