Hello Pablo, (netfilter guys, please read http://www.uwsg.iu.edu/hypermail/linux/net/0405.0/0002.html before) Pablo Neira [Mon, May 03, 2004 at 01:48:15PM +0200]: > Hi Nico, > > since this stuff is netfilter-related and netfilter/iptables geeks are > mostly in netfilter's maillist, I think you could redirect this request > there, someone could help you out. Thank you for the hint. I first thought this is a netfilter problem, but currently I don't think so. The problem is IMHO the design of the Linux IPSec implementation. I'll compare what freeswan did with what Linux 2.6 does now: Freeswan has virtual devices (ipsec*), through which the unencrypted packets come into the system. So you can add these firewall lines: - allow AH, ESP, UDP/500, deny rest on eth0 - allow IPs/networks, etc. on ipsec0 With Linux 2.6 I don't have virtual devices. This means that my IPSec packets enter the physical device twice: 1. esp encrypted packet enters 2. Linux decrypts it 3. Linux sends the unencrypted packets through the same device again The problem with that is, that - allow AH, ESP, UDP/500, deny rest on eth0 will deny the _content_ of my encrypted packages (step three is broken). Wouldn't this work fine, if we have the virtual device like freeswan had or is netfilter broken with this? I mean I cannot practicly setup an IPSec only access point with the current netfilter and ipsec in Linux 2.6, or am I deadly wrong? Greetings, Nico -- Keep it simple & stupid, use what's available. pgp: 8D0E E27A | Nico Schottelius http://nerd-hosting.net | http://linux.schottelius.org
Attachment:
pgp00866.pgp
Description: PGP signature
