Re: IPSec - IPTables issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Pablo,
(netfilter guys, please read 
http://www.uwsg.iu.edu/hypermail/linux/net/0405.0/0002.html before)

Pablo Neira [Mon, May 03, 2004 at 01:48:15PM +0200]:
> Hi Nico,
> 
> since this stuff is netfilter-related and netfilter/iptables geeks are 
> mostly in netfilter's maillist, I think you could redirect this request 
> there, someone could help you out.

Thank you for the hint. I first thought this is a netfilter problem, but
currently I don't think so.

The problem is IMHO the design of the Linux IPSec implementation.

I'll compare what freeswan did with what Linux 2.6 does now:

Freeswan has virtual devices (ipsec*), through which the unencrypted
packets come into the system. So you can add these firewall lines:

- allow AH, ESP, UDP/500, deny rest on eth0
- allow IPs/networks, etc. on ipsec0

With Linux 2.6 I don't have virtual devices. This means that my IPSec
packets enter the physical device twice:

1. esp encrypted packet enters
2. Linux decrypts it
3. Linux sends the unencrypted packets through the same device again

The problem with that is, that

- allow AH, ESP, UDP/500, deny rest on eth0

will deny the _content_ of my encrypted packages (step three is broken).

Wouldn't this work fine, if we have the virtual device like freeswan had
or is netfilter broken with this?

I mean I cannot practicly setup an IPSec only access point with the current
netfilter and ipsec in Linux 2.6, or am I deadly wrong?

Greetings,

Nico


-- 
Keep it simple & stupid, use what's available.
pgp: 8D0E E27A          | Nico Schottelius
http://nerd-hosting.net | http://linux.schottelius.org

Attachment: pgp00866.pgp
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux