FW: iHEADS UP: ipsec packet filtering change
David Kelly
dkelly at HiWAAY.net
Thu May 15 16:45:53 PDT 2003
On Thursday 15 May 2003 04:47 pm, Subscriber wrote:
> > -----Original Message-----
> > From: Greg Panula [mailto:greg.panula at dolaninformation.com]
> >
> > You don't really need the gif tunnels for ipsec. Gif is more
> > geared towards ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's
> > mention using gif tunnels and I've been tripped up by it, too.
> >
> > ipsec is much easier without the gif tunnels. The ipsec policy
> > definition is explained in the setkey man page. Basically for
> > tunnels it is: spdadd ${remote net} ${local net} any -P in ipsec
> > esp/tunnel/${remote gateway}-${local gateway}/unqiue; and
> > spdadd ${local
> > net} ${remote net} any -P out ipsec esp/tunnel/${local
> > gateway}-${remote
> > gateway}/unique;
>
> I have seen this said before. I've also seen it said that gif
> is just a way of getting the routing right. But every single
> practical example I have seen about how to set up a VPN link
> between two Lans using FreeBSD boxes uses gif.
>
> I'm using gif. If I take it out and just use plain setkey and
> racoon, what should I substitute to get the packets addressed
> to my office network sent through the tunnel?
I too have heard it said. Last fall with 4.7-stable I removed the
gifconfig stuff from an IPsec tunnel I administer and lo and behold it
worked!
Then moved from the 4.7-stable branch of RELENG_4 to RELENG_4_7 to see
if I could resolve another problem where ipfw treated packets coming
out of my tunnel as having come from the interface their tunnel was
routed (my external NIC, fxp1). Wanted to /dev/null any RFC 1918
addresses from the outside world but didn't want to do the same for my
own RFC 1918 nets.
My IPsec tunnel no longer worked in 4_7 until I uncommented the very gif
stuff I had earlier removed.
There is now a section in the LINT config describing current policy:
# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
# to be processed by any configured packet filtering (ipfw, ipf).
# The default is that packets coming from a tunnel are _not_ processed;
# they are assumed trusted.
#
# Note that enabling this can be problematic as there are no mechanisms
# in place for distinguishing packets coming out of a tunnel (e.g. no
# encX devices as found on openbsd).
#
#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
--
David Kelly N4HHE, dkelly at hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
More information about the freebsd-stable
mailing list