PF + gif + ipsec + racoon + routing problems results in insecure ipsec vpn
Daniel Duerr
dd at ouido.net
Fri May 17 01:22:45 UTC 2013
Hi everyone,
I wrote up a post on the FreeBSD forums about the issue I am having. It's rather long so I am providing a link to it here: http://forums.freebsd.org/showthread.php?t=39595
In summary, it seems that when the packets are routed in to the gateway from local network hosts, the src and dst addresses are changed to the public IPs of the tunnel -- at least from the perspective of the ipsec stack. This is breaking the ESP encryption in certain cases. I found a workaround, but it is not what is documented in the handbook.
In short, if you setup a vpn per the FreeBSD Handbook article that I mention in my post, you are left with a most-insecure vpn which you believe is secure. Traffic is only secure *between* the two gateways, but *not* between hosts behind those gateways (i.e. private hosts at either site).
(I apologize in advance if I'm breaking a mailing list rule by pointing you all to the forum URL -- I'm somewhat new to the list).
Thanks,
Daniel
More information about the freebsd-security
mailing list