linux-ipsec: klips and linux firewalling

I've just joined this mailing list and wasn't able to get the archive at ftp://ftp.clinet.fi/pub/Linux-IPSEC (times out everytime), so please be indulgent if this topic was formerly covered.

I'm testing FreeS/WAN to verify that it is the right VPN solution for my company. Everything works fine, the whole thing is stable, fast and secure. (I'm not using pluto yet.)

But I've got a problem when using FreeS/WAN in conjunction with Linux Firewalling.

Example:

Tunneling with two security gateways (klips installed) and two small LANs behind them.  

Security gateway 1:

   eth0: 194.120.231.194/24 (insecure net)    eth1: 10.0.2.1/24 (LAN 1)
Security gateway 2:

   eth0: 194.120.231.202/24
   eth1: 10.0.1.1/24 (LAN 2)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

If I ping from a node within LAN 1 to a node within LAN 2, I get the following packet flow in Security gateway 1 (captured with patched firewalling):

outgoing request:

IP fw-in acc eth1 ICMP/8 10.0.2.2 10.0.1.2
IP fw-fwd acc ipsec0 ICMP/8 10.0.2.2 10.0.1.2
IP fw-out acc ipsec0 ICMP/8 10.0.2.2 10.0.1.2 
IP fw-fwd acc eth0 IPSEC/ESP 194.120.231.194 194.120.231.202
IP fw-out acc eth0 IPSEC/ESP 194.120.231.194 194.120.231.202

incoming response:

IP fw-in acc eth0 IPSEC/ESP 194.120.231.202 194.120.231.194
IP fw-in acc eth0 IPIP 194.120.231.202 194.120.231.194  
IP fw-in acc eth0 ICMP/0 10.0.1.2 10.0.2.2                   <-- PROBLEM
IP fw-fwd acc eth1 ICMP/0 10.0.1.2 10.0.2.2
IP fw-out acc eth1 ICMP/0 10.0.1.2 10.0.2.2

While the incoming decrypted (and detunneled) packet is received again on eth0, there is no useful packet filtering possible. I had to open eth0 for all packets coming from LAN 2, enabling all kind of IP spoofing attacks coming from the insecure net.

My question now:
Why don't you change the skb's device after handling it via ipsecX. I've inserted the following in ipsec_esp.c and ipsec_ah.c before the skb is delivered with a netif_rx() call:

        /* change skb's associated device */
        if (ipsecdev)
           skb->dev = ipsecdev;

        if (stats) ...

This changes the behaviour in security gateway 1 for incoming packets:

IP fw-in acc eth0 IPSEC/ESP 194.120.231.202 194.120.231.194
IP fw-in acc ipsec0 IPIP 194.120.231.202 194.120.231.194
IP fw-in acc ipsec0 ICMP/0 10.0.1.2 10.0.2.2
IP fw-fwd acc eth1 ICMP/0 10.0.1.2 10.0.2.2
IP fw-out acc eth1 ICMP/0 10.0.1.2 10.0.2.2

Now there is filtering possible since only IP packets with protocol ID 50 coming from the partner gateway need to be accepted by eth0. eth0 needs not to be open for the (hidden) partner LAN.

I've just found the FreeS/WAN project one week ago, so feel free to correct me if I'm completely wrong.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Thanks for the great job you're doing, FreeS/WAN seems to be a project that is steadily worked on what makes it my first choice!

Ciao

Thilo

Thilo Bindel, Sysadmin, bnd@ep-ag.com

EIGNER + PARTNER AG
Karlsruhe, Germany, http://www.ep-ag.com                 Received on Sun Jul 5 06:54:26 1998