Search squid archive

Transparent Squid proxy through IPSec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'm running Squid 2.4 on a FreeBSD machine.
Two days ago, i've configured IPSec for my wireless LAN. So i have a wired LAN 
and a secure wireless LAN.

Squid runs on the wired LAN as a transparent proxy. The clients on the network 
will be always redirect through the proxy, even they have no proxy server 
configured. It works great.

The configuration for ipnat (to redirect HTTP traffic through Squid) is:

rdr sis0 0/0 port 80 -> 127.0.0.1 port 3128 tcp

sis0 = wired LAN interface on FreeBSD server.

I want to configure this also for the wireless LAN. But i think it's a problem 
because the wireless LAN is secured by IPSec. The IP header en body are 
encrypted with AH and ESP.

When i run tcpdump on the unsecured (no IPSec) wired LAN, i see this:

19:43:04.275456 PIV-2400.epauli.dyndns.org.36704 > www.xs4all.nl.http: F 
2306:2306(0) ack 25327 win 14060 <nop,nop,timestamp 25426808 442068678> (DF)
19:43:04.275479 www.xs4all.nl.http > PIV-2400.epauli.dyndns.org.36704: . ack 
2307 win 65535 <nop,nop,timestamp 442068680 25426808> (DF)

Ipnat (i use that for redirection HTTP traffic on port 80 through Squid) can 
handle that traffic, because source and destination adress and portnumbers 
are viewable.

When i run tcpdump for the secured connection, the only thing i can see is ESP 
encrypted traffic and the source and destination IPv4-adress and no 
portnumbers.

19:41:35.457404 192.168.2.3 > 192.168.2.1: AH(spi=0x04572f8e,seq=0xc3a0): 
ESP(spi=0x06211586,seq=0xc3a0) (DF)
19:41:35.465699 192.168.2.1 > 192.168.2.3: AH(spi=0x0eda8b37,seq=0x164bc): 
ESP(spi=0x077870a2,seq=0x164bc)
19:41:35.468010 192.168.2.3 > 192.168.2.1: AH(spi=0x04572f8e,seq=0xc3a1): 
ESP(spi=0x06211586,seq=0xc3a1) (DF)
19:41:35.475919 192.168.2.1 > 192.168.2.3: AH(spi=0x0eda8b37,seq=0x164bd): 
ESP(spi=0x077870a2,seq=0x164bd)

I think it's not possible to transparent redirect traffic to Squid, when IPSec 
is used, because no traffic data is available.
True or not true?

Can someone tell me how i can redirect traffic through Squid, on a IPsec 
secured (wireless) LAN?

Thanks!

-- 
Edwin Pauli
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux