IP SEC filtering issue

[Alwyn Goodloe]

First thing to note is that I am using FreeBSD 4.8 .

We would like to send only the syn packet of a tcp connection through
certain  ipsec tunnels and  the rest of the packets in a connection though
a simple transport mode setup. Yeah, I know it's strange but what can I
say -- we do a lot of strange things. From the best I can tell, the
setkey/spadd filtering capability isn't sophisticated enough to detect
syn packets. Since ipfw does do this sort of thing we can use this to
filter out the syn packet and using divert sockets (we have  a lot of
experience at writing divert sockets) we can put a wrapper
around it so that it goes to a particular port. Since ip sec can filter on
ports, we can just filter that out. The process should look something
like:



syn ---> diverted and wrapped to head for port X ---->
         ipsec filters on port X  sends it into tunnel .........


 ........... ipsec does its thing ---> divert socket unwraps ---> sends
the packet on its way (not passing though ip sec again).



The divert socket solution seems to work fine on the sending side, but
there seems to be problems on the receiving side. I suspect that ipfw is
looking at the packet before ipsec or some such thing. I know that there
were postings about the interaction of ipfw and ipsec and that some of
these were going to be fixed in 4.8.

  If any of you know of a way to get ipsec to filter on syn packets let me
know. If you have ever tried to get divert sockets and ip sec working at
the same time let me know the secret.   I suspect I'm just going to have
to hack the ipsec filter to get it to filter on syn packets.  Any ideas as
to how hard this will be


Alwyn Goodloe

agoodloe at saul.cis.upenn.edu