On Thu, Jul 24, 2003 at 03:50:26PM -0500, Rick Kennell wrote: > I'm not using a tunnel. I'll describe what (I believe) is happening: > > I have two systems that are set up with an IPsec policy that requires > all packets sent between them to have an AH header and the payload > encapsulated in an ESP section. Interaction with other hosts is normal. > > When the packet comes in, netfilter sees it as an ESP packet. Even the > INPUT chains in the mangle and filter tables see the packet as an ESP > packet. I don't see a reason why the INPUT chains wouldn't want to see > a decrypted (or, as you put, decapsulated) packet. Instead, it appears > that the packet is decapsulated after it's out of the filter table's > INPUT chain. i.e. it gets decapsulated between netfilter and the > application. > > Maybe the implementation should be changed to decapsulate the packet > just after the routing decision but before the INPUT chains? > > Surely there must be some way of doing port-based filtering of ESP > packets that are known to be bound for the local host. Then I'm sorry. I don't know. I've always had problems with the interaction between FreeS/WAN and netfilter. If the traffic is meant for the localhost then, you're right, it should be visible in the clear to the INPUT chain. The only thing I heard which is promissing is 2.5 has native IPsec support in the kernel which is supposed to work well with the other subsystem. Ramin > -- > Rick Kennell <kennell@xxxxxxxxxxxxxx> > Purdue University Department of Electrical and Computer Engineering
